2.76 - bug fix for libpsx on arm64 and some other architectures; fix for newer glibc's and having .so files be runnable; lots of documentation updates.
2.75 - fixed psx Go module packaging
2.74 - fixed multi-arch PSX mechanism as used by Go.
2.73 - fix for multi-architecture libpsx support, other minor fixes - mostly documentation.
2.72 - rewrote libpsx to operate at the LWP abstraction (below that of pthreads on Linux systems).
2.71 - small fixes to build system and documentation updates. Added a new signing key (used for sig-libcap-X.YZ tags).
2.70 - (minor release) make harder to set invalid file caps with setcap and documentation updates.
2.69 - resolving issues revealed by a security audit of libcap and friends.
2.68 - mostly documentation related fixes; for the first time employ the __attribute__((visibility ("hidden"))) attribute to enfoce the libcap documented API; more fun extending the non-cgo linking-C psx example to cross compile for arm.
2.67 - mostly documentation fixes/clarifcations including SPDX entries in the License files; some fun contrib changes relating to C and Go.
2.66 - small fixes; added a captrace utility to help figure out what capabilities a privileged program actually needs.
2.65 - prevent capsh --user from generating bash errors; some debugging and documentation fixes.
2.64 - minor bug fixes including errno handling by cap_*prctl() functions.
2.63 - restore errno to zero for main execution; consistent behavior for "psx" package if syscall results differ.
2.62 - bugfix for Go package "cap" Launch feature; introduce HYBRID mode; minor documentation updates ; build warning fixes for 32-bit platforms.
2.61 - better number parsing in capsh and setcap; fixed segfaulting in .so executables; added example of capable shared library object.
2.60 - make libcap and the cap package much more thread safe (better atomicity of API); build and linting fixes; added cap_fill_flag() API; implemented --quiet and -+ and =+ support in capsh
2.59 - bugfix to not segfault as much (cap_t = NULL is recognized with a failure vs. SIGSEGV); minor doc fixes
2.58 - free memory on library exit; pam_cap.so can now set Ambient vectors with Linux-PAM compliant apps; doc cleanups.
2.57 - More Makefile cleanups (don't build tests unless testing); --mode and --strict capsh args; clean up getcap -r / output.
2.56 - More Makefile cleanups; fixed a bug in test_pam_cap; fix sucap/su Inheritable flag handling; enhance captree.
2.55 - Tons of static analysis fixes; captree now has a man page and more features; revamped way libcap manages memory
2.54 - fix a memory leak in cap_iab_get_proc() and verify allocation; fix error handling in cap_reset_ambient(); add an IAB comparison API; add a captree Go binary and support getpcap --iab; absorb some downstream package patches.
2.53 - bug fix for cap_launch (error propagation); support clang (again); documentation fixes and updates
2.52 - *.so can be run as standalone binaries; pam_cap.so has default argument; capsh has --current argument; include a fully capable su implementation.
2.51 - resurrected capsh install target(!); pam_cap.so new autoauth arg; added cap_fill() API; support for golang 1.17 builds
2.50 - documentation updates, including capsh --explain and --suggest options
2.49 - add a lower overhead launching function cap_func_launch() and cap.FuncLaunch() with lots of doc updates
2.48 - some Makefile and documentation fixes; adopt Go module major version 1 (now that go1.16rc1 is out)
2.47 - minor update, add use of PR_SET_NO_NEW_PRIVS to libcap mode NOPRIV
2.46 - so many fixes for libpsx, it is probably not worth using earlier versions
2.45 - fix capsh "==" option and libpsx support
2.44 - make related features allow building for pthread-less systems
2.43 - Add support for CAP_CHECKPOINT_RESTORE, libpsx.a considered stable
2.41 - cap_to_text() generates more compact text representation Go and C support at parity
2.40 - documentation updates
2.39 - musl libc support
2.37 - Add support for CAP_BPF and "Go module" support for "psx" and "cap"
2.36 - Add support for CAP_PERFMON
2.35 - pam_cap.so now allows PAM_REINITIALIZE_CRED
2.34 - capsh supports overriding the shell for "--" (default to bash, but can override that too)
2.33 - introduced IAB abstraction for 3 flavors of inheritable capability: pam_cap.so uses this text representation for config. Introduced cap_launch functionality (for launching a lesser privileged child process from a POSIX semantics libcap multi-threaded program)
2.31 - documentation updates
2.30 - revived the 'all' keyword for capabilities. This was broken by a kernel change at some point, and has been unusable ever since. Now defined to mean "all the capabilities named by the hosting kernel".
2.29 - pam_cap.so supports @group syntax and first hints of an IAB text representation. libcap introduces cap_modes.
2.28 - first release of libpsx (providing POSIX semantics for system calls), to support POSIX semantics for libcap for the first time - a bit buggy in this release; this also enabled a working port of libcap to native Go.
2.27 - this has been out there so long, we can call this the assumed feature set.
Fix mistakes in setcap for reporting errors: report them with the appropriate filename. Thanks to Nikolas for reporting these in Bug 220245.
Add (unverified) support for the PSX mechanism on microblaze, arc, openrisc and xtensa architectures. Thanks to Tom Petazzoni for including these in Bug 219915
Please let me know if these work or fail on these architectures.
Add C++ support to the run a .so file as an executable mechanism employed by libcap.so, libpsx.so and pam_cap.so. Not really necessary for the libcap build tree, but wanted to capture the details of my recent update to a Stackoverflow answer on the topic.
More libpsx and psx Go package mechanism fixes (many thanks to Christial Kastner for helping dive into the off-piste architectures. See Bug 219915.)
Address an arm64 (aarch64) libpsx issue seen with Tracee. (Tagged psx/v1.2.76-rc1)
Note, 2.75 should have fixed the tracee issue 4678 but the above issue emerged from their extensive testing. Thanks to Gregório G. for reporting the observed failure details.
More architectures supported: of the many architectures Debian builds for, we think only alpha and sparc64 have problems. Unable to construct qemu-*-system images with which to debug these. If anyone has a recipe for that that works for Fedora as a base platform, please provide details...
To make the various .so files continue to be runnable as standalone programs added another workaround for glibc. (Bug 219880 reported by Christian Kastner.)
_IO_stdin_used needs to be weekly defined to make puts() and friends work. Also updated the Stackoverflow answer to include that detail.
Made a new man page cap_text_formats(7). This makes it possible to separate the tool man pages from the developer man pages. I believe this was the second time this was requested, by Carlos Rodriguez-Fernandez this time (can't find the former request in my email).
Some man page cross linking fixes as well.
Dropped Make.Rules definition of SYSTEM_HEADERS Thanks to Ross Burton for reporting.
Removed a spurious debugging printf() from setcap tool.
Removed cap_ workarounds for go.dev cap package examples. The website bugs have been resolved: go/issues/70611; go/issues/70630.
Added a Makefile to the contrib/seccomp example.
This release is devoted to a fix for Bug 219838 reported by Frank.
ERRATA
Bug 219838 the psx go package fails to build standalone.
You can work around this by go mod vendor in your code tree
or upgrade your package reference to psx/v1.2.75.
This release addresses Bug 219687 reported by David Runge.
Code at HEAD (tagged {cap,psx}/v1.2.74-rc5) fixes it for {x86,arm,mips}x{32-bit,64-bit}, ppc64, s390x and riscv.
The mips32 support requires a more modern Go compiler than the default provided by Debian. For successfully testing I used go1.24.0.
May be fixed for loongarch, but no system to test this with (derived from mips, so perhaps it is fixed).
Group syntax parsing bugfix for pam_cap from Tianjia Zhang.
Doc typo fix for cap_get_proc.3 from Tianjia Zhang.
Fix transitive include in capsh.c from Leo.
Go package documentation updates, including more cap examples.
ERRATA
Another issue with libpsx. Details are here. Working towards a fix and plan to include that in 2.74. libpsx and the Go psx package have not been stable since the [v1.]2.71 release.
Bug fixes for libpsx changes in the 2.72 release.
Some architectures do not support the system call getdents(). More modern architectures only support getdents64(), so use that. Patch provided by Xi Ruoyao.
gettid() isn't consistently defined in all *libc's so create a macro for using it in the libpsx sources.
Fix some static analysis found issues, surfaced by Carlos Rodriguez-Fernandez from an analysis performed on Fedora's libcap-2.71 release.
Third attempt to get an executable cap package runnable example into the documentation on pkg.go.dev.
It still isn't working, but I think the issue is now one for the go.dev website:
Filed go/issues/70630 which got duped into this go/issues/70611 and a fix was requested by Ian Taylor.
Preparatory workaround in tree for next release. If the committed fix for the pkg.go.dev website goes live, we'll revert the workaround before releasing libcap-2.74.
Remove a redundant c.String() function since fmt.Println(c) can figure this detail out.
Freshen up setcap.c sources. Sort the argument help.
Add go vet to the tests for cap and psx packages.
ERRATA:
Failed to support more modern Linux architectures including arm64. Fix provided by Xi Ruoyao.
This specific release is devoted to a wholesale rewrite of libpsx to operate on native Linux threads (aka LWP = Light Weight Processes).
Given the potential for misbehavior, we're isolating this release to that change.
Should some issue(s) arise, and folk need to roll back, this will hopefully make downstream packagers' lives a bit easier: skip this release altogether.
This addresses LCAP-CR-23-102 (SEVERITY) NONE from the libcap-2.69 security audit. This addresses Bug 217476.
This addresses C++ std::thread libpsx support. This addresses Bug 218607 reported by Vini Ipsmaker.
Included a test case for this: contrib/bug218607/
This now allows the PSX mechanism to apply to threads launched by loaded .so plugins. This addresses Bug 219174 reported by Stas Sergeev.
Included a test case for this: tests/b219174.c
The rewrite has significantly reduced the need for any odd linking of the -lpsx library. Namely, if code makes use of the psx_syscall*() functions, there is no need for anything other than -lpsx on the link line.
Updated a whole lot of documentation that warned folk about the -wrap=pthread_create linking need not being needed any more. (Bug 219456)
Linking -lcap and -lpsx still requires some extra care. Updated cap_get_proc(3) manual page to explain.
Was unable to figure out how to work around the pre-go1.16.* bug related to cgo and interrupt handling while thread exit with the rewritten libpsx code. Decided to abandon full support for earlier versions of Go.
Explanation is Bug 219478 which points to old Go bug.
Transitioned key used for signing Go package tags to use the 0D23D34C577B08C4082CFD76430C5CFF993116B1 key.
Very tiny documentation change for the cap package to try again to get a runnable example to show up on the pkg.go.dev website.
Reduce the need for CAP_SETPCAP in IAB setting to the specific instances in which the kernel requires it. This addresses Bug 219169 reported by Christopher Head.
Resolve subtle libpsx linker flag issue related to -Bsymbolic-functions. This addresses Bug 219169 reported by Stas Sergeev.
Add new GPG signing key. At this stage, none of the older keys have been retired. This addresses Bug 218860 requested by David Runge at Arch Linux. Key details:
$ gpg --fingerprint 0D23D34C577B08C4082CFD76430C5CFF993116B1
pub ed25519 2024-10-26 [SC]
0D23 D34C 577B 08C4 082C FD76 430C 5CFF 9931 16B1
uid [ultimate] Andrew G. Morgan (2024+ libcap signing key) <morgan@kernel.org>
sub cv25519 2024-10-26 [E]
Expand use of various $(xFLAGS) to building simple binaries in the build tree. Requested by Pierre-Clément Tosi.
Numerous documentation updates and clarifications.
Added a programming example to the cap package documentation. Exploring how to embed viewer runnable content in the automatically generated online pkg.go.dev documentation.
Work around a longstanding glibc segfault annoyance for in-build-tree testing.
setcap changes to make it harder to set invalid file capabilities (Bug 217592 reported by parke.nexus)
Lots of documentation fixes (contributions from Jakub Wilk and Carlos Rodriguez-Fernandez)
Fix c89 compilation syntax for the C code in the libraries.
libpam has deprecated providing the _pam_overwrite() function, so use memset() instead
An audit was performed on libcap and friends by https://x41-dsec.de/ (blog) . The audit (final report, 2023-05-10) was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows:
LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir
LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger
LCAP-CR-23-100 (SEVERITY) NONE
LCAP-CR-23-101 (SEVERITY) NONE
LCAP-CR-23-102 (SEVERITY) NONE (see the 2.72 release)
Man page style improvement from Emanuele Torre
Partially revive the ability to build the binaries fully statically.
This was needed to make bleeding edge kernel debugging/testing via qemu+busybox work again. Addressing an issue I realized only when I tried to answer this stackexchange question.
Force libcap internal functions to be hidden outside the library (Bug 217014)
Expanded the list of man page (links) to all of the supported API functions.
fixed some formatting issues with the libpsx(3) manpage.
Add support for a markdown preamble and postscript when generating .md versions of the man pages (Bug 217007)
psx package clean up
fix some copy-paste errors with TestShared()
added a more complete psx testing into this test as well
cap package clean up
drop an unnecessary use of ", _" in the sources
cleaned up cap.NamedCount documentation
Converted goapps/web/README to .md format and fixed the instructions to indicate go mod tidy is needed.
cap_compare test binary now cleans up after itself (Bug 217018)
Figured out how to cross compile Go programs for arm (i.e. RPi) that use C code, don't use cgo but do use the psx package (all part of investigating bug 216610).
Eliminate use of vendor directory
Replace use of fgrep with grep -F (POSIX grep flags preferred by GNU grep) - patch from David Seifert.
Added SPDX identifiers to License file(s). Hopefully this will help the various robots out there correctly identify the longstanding licenses for libcap and friends. (Bug: 216609 reported by Günther Noack)
Started down the rabbit hole of trying to address (Bug: 216610 reported by Günther Noack on behalf of Michael Stapelberg)
The basic issue is how to link C code with Go psx without using CGo. This is all a low level hackery. If you are interested, browse the source.
Correct for bad whatis entries in man pages (this was throwing a Debian build test, detail)
Also reviewed man pages and addressed cross linkage issues (Bug: 216585)
Cleaned up some README.md files (made a github mirror now just so I can automatically render them).
Changed meaning of DYNAMIC=no builds.
This now builds everything with static linking except for libc. The reason for this exception is explained in the commit message.
Inserted demonstration exploit code in capso.so to support article.
Fix documentation typos in cap_from_text.3 (Bug: 216514 reported by Paulo Andrade.)
Some getpcaps code clean up and a fix for PID argument parsing from Jakub Wilk.
Slightly more robust Makefiles to address an error with make -j48 test observed by Tomasz Kłoczko.
Include a simple Go program, captrace, to trace kernel capability validation checks
This program can be used to figure out what capabilities a program needs to operate.
captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel for capability checks and whether or not they succeed for the system, a specific PID or a program's direct execution.
Trim down the default file capabilities for contrib/sucap/su to those actually needed and set USER and HOME environment variables so bash doesn't complain about a sourcing error.
Fix syntax error in DEBUG build of protected code in setcap.c. (Bug reported by yixiangzhike.)
Prevent bash from reading the wrong startup files when the capsh --user=xxx argument is used to invoke a shell as the user xxx. This is done by capsh now changing the USER and HOME environment variables when --user is specified. The argument --noenv can be used to suppress this behavior to what used to be the problematic default. (Bug: 215926)
Improved documentation:
Man page info for cap_get_pid() and cap_reset_ambient(). (Bug reports from nomonemo and Tinkerer One.)
Improve documentation and help for the captree program.
Updated go/Makefile comment about an unfixed Go runtime bug in go1.16 and go1.17 (resolved in go1.18+), and the deadlock behavior of the psx-fd test.
Refresh the signatures on the two GPG keys morgan@ uses. The 4096 bit one is preferred, but the older one is also used for continuity reasons. This set of signatures should also be available from the various key servers out there.
Fix memory leak in libpsx at program exit. (Bug: 215551 reported by Kalen Hall)
Be more resilient to CGo configuration with Go compiler when building tests. (Bug: 215603)
Fix cap_*prctl() return code/errno handling. (Bug: 215772 reported by Anderson Toshiyuki Sasaki)
Minor clarification to cap_get_pid() man page concerning pid value within namespaces. (Bug: 215812)
Restore errno to zero by the time main() is executed
Bug reported by Yang Xu
Consistent psx handling (a panic) for syscalls that return thread dependent status
Inconsistend behavior noticed by Lorenz Bauer (Bug: 215283)
Add a test case for a deadlock under investigation in golang #50113
Bug reported by Weixiao Huang
Trim some of the #include file use to make the tree compile more efficiently
Bug fix for Go package "cap" and launching:
There was a race condition, reported by Lorenz Bauer (Bug: 215283)
Build cleanups:
David Seifert cleaned up warnings for 32-bit builds
No longer use Perl in the libcap build process (Gentoo had a compelling reason to avoid this dependency)
Documentation updates: cap_max_bits has a man page entry; Go module cap updates for Launch detail.
Recognize default securebits as a libcap mode: HYBRID.
[ Nothing to do with libcap, but this release was used to expose a gcc bug as per: 103961 ]
Better error handling of the numerical arguments for capsh and setcap.
Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc). Bugs reported by Sam James. Both the same solution related to stack alignment and use of SSE instructions:
Added an example of a shared library object with its own file capability.
It demonstrates how to give a shared library a file capability and offer it as a linkable privileged API service to an otherwise unprivileged binary.
Fix the top-level include for Make.Rules in the contrib/sucap example application
Add support for running constructors at libcap.so start up time when running as stand alone binary.
This enables the binary executable to print out some dynamically generated content when given the --summary argument.
Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization contributed by Google (Bugs: 214579 214601 214599)
General improvement in thread safety for libcap and cap package (Bug: 214715)
Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns.
This should be backwardly compatible for code.
Added a cap_iab_dup(), and (*cap.IAB).Dup() to API.
Fixed (*cap.IAB).Fill() which was previously malfunctioning for certain Inh and Amb copies.
New features for capsh
--quiet can be used to suppress the start up check that the local libcap is modern enough to name all of the capabilities known to the hosting kernel
Added -+ and =+ arguments. These are fork+exec equivalents to -- and == respectively (that use the cap_launch API).
libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen with libcap-2.54. (Bug 214525)
More make -j13 fixes (missing dependency for make -C progs sudotest).
Various minor documentation fixes.
Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported by yan12125)
Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug 214377)
In addition to the bug, related discussion is in two Github issues: https://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and https://github.com/rra/pam-krb5/issues/21
Added support for RPM builds that generate the build-id that RPM expects (see https://github.com/rpm-software-management/rpm/issues/367 for discussion)
Minor contrib/sucap/su.c cleanups
Clean up kdebug build rules
More documentation cleanup
capsh enhancements:
--mode makes a guess at the libcap mode of the current process (Bug 214319)
--strict makes capsh less permissive and expects the user to perform more deliberate capability transactions
useful for learning all the steps; and helps this article be more pedagogical.
Build system fixes
Preserve $(WARNINGS) (Fix from David Seifert)
Don't ever build test binaries unless make test etc is invoked (speeds builds on slower systems)
Support make -j12 for all, test and sudotest targets
getcap -r / now generates readable output (Bug 214317)
Some documentation cleanup: more consistency.
Canonicalize the Makefile use (in collaboration with David Seifert)
In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)
Doc fixes for cap_iab.3
Added color support to captree, which helped make the following fix generate readable output:
Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)
Fixed contrib/sucap/su to correctly handle the Inheritable flag.
Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich
Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)
This generated a few broken builds until it was fixed.
Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
Added libcap cap_proc_root() API function (to reach parity with the Go cap package).
This is only potentially useful with the recently added cap_iab_get_pid() function
Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.
Now make GOLANG=yes only installs the captree utility
Added some features to captree and created a small article on it
Added a man page for the captree utility
Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.
Included adding --has-b support to capsh
Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)
Fixes to not ignore allocation failures (patch provided by Samanta Navarro)
Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()
More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)
Revamped the Go capability comparison API for *cap.Set and *cap.IAB: (x).Cf(), and added cap.IABGetPID()
Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.
Extended getpcaps to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).
Install *.so files as executable now that they are executable as binaries
A feature of 2.52 but not extended to install rules at that time.
Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)
Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.
Fixed a compiler warnings from the GitHub build tester (Bug 214143)
The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)
Added a test case for this too.
Lots of tyops fixed in code and documentation (also by Samanta Navarro)
Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)
These distributions failed to observe a runnable pam_cap.so and various make options failed.
Support clang builds (again). (Reported by Johan Herland 214047)
This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.
Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.
Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)
The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!
The support is used to display some description information.
To activate it, these binaries need to be installed executable (chmod +x ...)
We also provided a write-up of how to enable this sort of feature in other .so files here.
The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).
Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.
Added capsh --current support.
Minor documentation updates.
Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.
At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
Fix capsh installation (Bug 213261 - reported by Jan Palus)
Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)
Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages
API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.
This can be used to raise all the Permitted capabilities in a Set with one API call.
In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).
This is with an eye to the imminent golang change removing support for GOPATH based building.
Minor compilation warning fixes
Some new capsh features:
--explain=cap_foo: describe what cap_foo does (Bug 212451)
--suggest=phrase: search all the cap descriptions and describe those that match the phrase
Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)
extend libcap to include cap_prctl() and cap_prctlw() functions to regain feature parity with Go "cap" package. These are only needed when linking against -lpsx for keepcaps POSIX semantics.
this likely requires substantial application changes to make Ambient capability support usable in general, but doing our part for the admin.
Add a test case for recent kernel fix (Bug 212737)
Go pragma fix for convenience functions in "cap" module (reported by Lorenz Bauer. Bug 212321)
Minor man documentation updates
Minor build tree improvements (mostly for maintainer)
Implement cap_func_launcher() and cap.FuncLauncher(). This was a feature request from Gregory Fuchedzhy (Bug 211919)
Modified the internals of "cap" to allow cap.SetProc() and friends from within the launcher callback function.
Prior to this release, such calls would deadlock. Updated the docs to explain this new freedom.
More robust "psx" redirection for nocgo compilation - the documentation for the cgo implementation is now included in the nocgo one because the go.dev automated documentation builds the docs from the nocgo version.
Lots of documentation cleanups and added a few man pages: for IAB and Launching.
A little Makefile manipulation to:
better use musl when requested (ie., with cgo compilation)
execute kernel tests on demand that don't require human interaction to closed the QEMU terminal
Some general no-op License changes that might cause folk to notice but only for formatting reasons. These were initially inspired by some lawyerly interactions, but I ended up rolling back half of them because they confused automated software infrastructure.
More uniform use of $(MAKE) in Makefiles - fixes from Andrew Delgadillo
No longer include symlinks in the git tree (any that are needed are built as part of make ...)
Provide support for make GOLANG=no ...
Provide support for pointing at a specific build of the go binary. Ex. make GO=~/sdk/go1.16rc1/bin/go ...
camelCase the contrib/seccomp/explore.go program
A number of documentation fixes to man pages and source code comments
Last use of GO major version 0 (all subsequent Go module releases will be 1.2.* etc.)
We've provided tagged cap/v1.2.48 and psx/v1.2.48 Go modules, slightly past the official libcap-2.48 tags, but with the Go code identical to the 0.2.48 versions.
Baring a backwardly incompatible change to Go, we have no plans for using a GO major version 0 (again) or 2.
Changes to the goapps/gowns example for exploring namespaces with Go (cap and psx).
NOPRIV libcap mode now also employs NO_NEW_PRIVS prctl bit.
Improved cap documentation.
Refactored psx and cap go modules to place the cgo or nocgo build options into psx explicitly
remove the allthreadssycall build tag support (go1.16 version tag works instead).
Add help and license info to getcap and friends.
The bulk of this release concerns fixes and improvements to lib[psx]:
Allow a dying thread to participate in the psx-fixup mechanism - bug
Golang had some issues with lib[psx]using SIGRTMAX for the psx-fixup mechanism - bug#210533 (reported by Lorenz Bauer)
lib[psx] now interrupts SIGSYS (probably still needs some work to support the signal pass-through)
The psx Go package, because it contained a sub-directory with only a .h header in it, did not work with Golang module vendoring (reported by Lorenz Bauer)
we've collapsed down the whole libcap/psx directory to be flat now
The 6-argument psx_syscall6() and psx.Syscall6() now work - bug#210613 (reported by Lorenz Bauer)
Refactored the way Go package"cap" decides whether or not to use syscall.AllThreadsSyscall*() or the psx-fixup mechanism into the "psx" package. This way, all that build complexity resides in the "psx" package, which should also make that package more useful for other applications.
Compile more things CGO_ENABLED=0 where there is support.
Discovered a Golang bug so can't do it with psx-signals for this libcap release.
Cleanup of build tree:
Deleted the POSIX semantics validation tests for Golang. I've long since migrated them to the golang source tree.
Added some .gitignore entries for build targets.
Made libcap/kdebug make target work again and run progs/quicktest.sh to completion.
Started to develop goapps/gowns a program that can work with capabilities and Containers. Not too much functionality yet.
Fix the capsh == argument handling and add a test case - bug#209873 (report by Marcus Gelderie)
Add support for libpsx.so building - bug#206093
Documented reason libpsx exists with an example of the class of exploit it protects against
Cleaned up man page
Added build support for systems that do not support libpthread (make PTHREADS=no ...) - bug#209875 (requested by Heiko Thiery)
Added build support for not building shared libraries (make SHARED=no ...) (requested by Heiko Thiery)
Generally, this is a release to help package builders: no functional change to any of the generated code just documentation and make related fixes.
2.43 was a regression for cross-compilation purposes Rolf Eike Beer provided two patches to address this.
Recent golang builds (pre-release) default to ignoring GOPATH, so adjust the in-tree building to override this explicitly with GO111MODULE=off
Support testing of a DYNAMIC=yes build with the shared libraries (in collaboration with Thomas Petazzoni)
This includes only requiring a statically linked version of capsh (tcapsh-static) with sudotest
Thomas Petazzoni verified that uClibc can also build statically.
Support build trees that have no pthreads in the environment (request from Fabrice Fontaine)
Go package document updates since golang 1.15 is released.
Linus' kernel tree defines CAP_CHECKPOINT_RESTORE (40) so support it.
Fix the creation of the $(FAKEROOT)$(LIBDIR) for split install targets - fix from Christian Kastner
Clean up a binary from the distribution - observation and fix from Petr Ovtchenkov
This was inadvertently left over from my first attempt to deprecate the manual psx wrapping.
Added some more release time checks for non-git tracked files.
Fix a deadlock in libpsx that surfaced with a set of compiler optimizations by removing the psx wrapping harder.
Click through to release notes pre-libcap-2.43 which were automatically imported from the older Google Sites layout.