Release notes for libcap et al

Release notes for 2.69

• An audit was performed on libcap and friends by https://x41-dsec.de/ (blog) . The audit (final report, 2023-05-10) was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows:

  • LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir

  • LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger

  • LCAP-CR-23-100 (SEVERITY) NONE

  • LCAP-CR-23-101 (SEVERITY) NONE

  • LCAP-CR-23-102 (SEVERITY) NONE

• Man page style improvement from Emanuele Torre

• Partially revive the ability to build the binaries fully statically.

  • This was needed to make bleeding edge kernel debugging/testing via qemu+busybox work again. Addressing an issue I realized only when I tried to answer this stackexchange question.

Release notes for 2.68

• Force libcap internal functions to be hidden outside the library (Bug 217014)

• Expanded the list of man page (links) to all of the supported API functions.

  • fixed some formatting issues with the libpsx(3) manpage.

• Add support for a markdown preamble and postscript when generating .md versions of the man pages (Bug 217007)

• psx package clean up

  • fix some copy-paste errors with TestShared()

  • added a more complete psx testing into this test as well

• cap package clean up

  • drop an unnecessary use of ", _" in the sources

  • cleaned up cap.NamedCount documentation

• Converted goapps/web/README to .md format and fixed the instructions to indicate go mod tidy is needed.

• cap_compare test binary now cleans up after itself (Bug 217018)

• Figured out how to cross compile Go programs for arm (i.e. RPi) that use C code, don't use cgo but do use the psx package (all part of investigating bug 216610).

  • Eliminate use of vendor directory

Release notes for 2.67

• Replace use of fgrep with grep -F (POSIX grep flags preferred by GNU grep) - patch from David Seifert.

• Added SPDX identifiers to License file(s). Hopefully this will help the various robots out there correctly identify the longstanding licenses for libcap and friends. (Bug: 216609 reported by Günther Noack)

• Started down the rabbit hole of trying to address (Bug: 216610 reported by Günther Noack on behalf of Michael Stapelberg)

  • The basic issue is how to link C code with Go psx without using CGo. This is all a low level hackery. If you are interested, browse the source.

• Correct for bad whatis entries in man pages (this was throwing a Debian build test, detail)

  • Also reviewed man pages and addressed cross linkage issues (Bug: 216585)

  • Cleaned up some README.md files (made a github mirror now just so I can automatically render them).

• Changed meaning of DYNAMIC=no builds.

  • This now builds everything with static linking except for libc. The reason for this exception is explained in the commit message.

• Inserted demonstration exploit code in capso.so to support article.

Release notes for 2.66

• Fix documentation typos in cap_from_text.3 (Bug: 216514 reported by Paulo Andrade.)

• Some getpcaps code clean up and a fix for PID argument parsing from Jakub Wilk.

• Slightly more robust Makefiles to address an error with make -j48 test observed by Tomasz Kłoczko.

• Include a simple Go program, captrace, to trace kernel capability validation checks

  • This program can be used to figure out what capabilities a program needs to operate.

  • captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel for capability checks and whether or not they succeed for the system, a specific PID or a program's direct execution.

• Trim down the default file capabilities for contrib/sucap/su to those actually needed and set USER and HOME environment variables so bash doesn't complain about a sourcing error.

Release notes for 2.65

• Fix syntax error in DEBUG build of protected code in setcap.c. (Bug reported by yixiangzhike.)

• Prevent bash from reading the wrong startup files when the capsh --user=xxx argument is used to invoke a shell as the user xxx. This is done by capsh now changing the USER and HOME environment variables when --user is specified. The argument --noenv can be used to suppress this behavior to what used to be the problematic default. (Bug: 215926)

• Improved documentation:

  • Man page info for cap_get_pid() and cap_reset_ambient(). (Bug reports from nomonemo and Tinkerer One.)

  • Improve documentation and help for the captree program.

• Updated go/Makefile comment about an unfixed Go runtime bug in go1.16 and go1.17 (resolved in go1.18+), and the deadlock behavior of the psx-fd test.

• Refresh the signatures on the two GPG keys morgan@ uses. The 4096 bit one is preferred, but the older one is also used for continuity reasons. This set of signatures should also be available from the various key servers out there.

Release notes for 2.64

• Fix memory leak in libpsx at program exit. (Bug: 215551 reported by Kalen Hall)

• Be more resilient to CGo configuration with Go compiler when building tests. (Bug: 215603)

• Fix cap_*prctl() return code/errno handling.  (Bug: 215772 reported by Anderson Toshiyuki Sasaki)

• Minor clarification to cap_get_pid() man page concerning pid value within namespaces. (Bug: 215812)

Release notes for 2.63

• Restore errno to zero by the time main() is executed

  • Bug reported by Yang Xu

• Consistent psx handling (a panic) for syscalls that return thread dependent status

  • Inconsistend behavior noticed by Lorenz Bauer (Bug: 215283)

• Add a test case for a deadlock under investigation in golang #50113

  • Bug reported by Weixiao Huang

• Trim some of the #include file use to make the tree compile more efficiently

Release notes for 2.62

• Bug fix for Go package "cap" and launching:

  • There was a race condition, reported by Lorenz Bauer (Bug: 215283)

• Build cleanups:

  • David Seifert cleaned up warnings for 32-bit builds

  • No longer use Perl in the libcap build process (Gentoo had a compelling reason to avoid this dependency)

• Documentation updates: cap_max_bits has a man page entry; Go module cap updates for Launch detail.

• Recognize default securebits as a libcap mode: HYBRID.

[ Nothing to do with libcap, but this release was used to expose a gcc bug as per: 103961 ]

Release notes for 2.61

• Better error handling of the numerical arguments for capsh and setcap.

  • Reported by meitingli with some bug de-duping help from Artem S. Tashkinov (Bugs 214909, 214911)

• Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc). Bugs reported by Sam James. Both the same solution related to stack alignment and use of SSE instructions:

  • glibc and the 32-bit x86 mode (Gentoo bug 820071)

  • musl runtime library for 64-bit x86 code (Bug 215009)

• Added an example of a shared library object with its own file capability.

  • It demonstrates how to give a shared library a file capability and offer it as a linkable privileged API service to an otherwise unprivileged binary.

• Fix the top-level include for Make.Rules in the contrib/sucap example application

• Add support for running constructors at libcap.so start up time when running as stand alone binary.

  • This enables the binary executable to print out some dynamically generated content when given the --summary argument.

Release notes for 2.60

• Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization contributed by Google (Bugs: 214579 214601 214599)

• General improvement in thread safety for libcap and cap package (Bug: 214715)

• Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns.

  • This should be backwardly compatible for code.

• Added a cap_iab_dup(), and (*cap.IAB).Dup() to API.

  • Fixed (*cap.IAB).Fill() which was previously malfunctioning for certain Inh and Amb copies.

• New features for capsh

  • --quiet can be used to suppress the start up check that the local libcap is modern enough to name all of the capabilities known to the hosting kernel

  • Added -+ and =+ arguments. These are fork+exec equivalents to -- and == respectively (that use the cap_launch API).

Release notes for 2.59

• libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen with libcap-2.54. (Bug 214525)

• More make -j13 fixes (missing dependency for make -C progs sudotest).

• Various minor documentation fixes.

Release notes for 2.58

• Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported by yan12125)

• Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug 214377)

  • In addition to the bug, related discussion is in two Github issues: https://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and https://github.com/rra/pam-krb5/issues/21

• Added support for RPM builds that generate the build-id that RPM expects (see https://github.com/rpm-software-management/rpm/issues/367 for discussion)

• Minor contrib/sucap/su.c cleanups

• Clean up kdebug build rules

• More documentation cleanup

Release notes for 2.57

• capsh enhancements:

  • --mode makes a guess at the libcap mode of the current process (Bug 214319)

  • --strict makes capsh less permissive and expects the user to perform more deliberate capability transactions

    • useful for learning all the steps; and helps this article be more pedagogical.

• Build system fixes

  • Preserve $(WARNINGS) (Fix from David Seifert)

  • Don't ever build test binaries unless make test etc is invoked (speeds builds on slower systems)

  • Support make -j12 for all, test and sudotest targets

• getcap -r / now generates readable output (Bug 214317)

• Some documentation cleanup: more consistency.

Release notes for 2.56

• Canonicalize the Makefile use (in collaboration with David Seifert)

  • In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)

• Doc fixes for cap_iab.3

• Added color support to captree, which helped make the following fix generate readable output:

  • Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)

• Fixed contrib/sucap/su to correctly handle the Inheritable flag.

Release notes for 2.55

• Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich

• Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)

  • This generated a few broken builds until it was fixed.

• Cleanup of some man pages; some fixes and shorter URL to bugzilla link.

• Added libcap cap_proc_root() API function (to reach parity with the Go cap package).

  • This is only potentially useful with the recently added cap_iab_get_pid() function

• Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.

  • Now make GOLANG=yes only installs the captree utility

  • Added some features to captree and created a small article on it

  • Added a man page for the captree utility

• Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.

  • Included adding --has-b support to capsh

Release notes for 2.54

• Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)

• Fixes to not ignore allocation failures (patch provided by Samanta Navarro)

• Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()

• More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)

• Revamped the Go capability comparison API for *cap.Set and *cap.IAB: (x).Cf(), and added cap.IABGetPID()

• Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.

• Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.

  • Extended getpcaps to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).

• Install *.so files as executable now that they are executable as binaries

  • A feature of 2.52 but not extended to install rules at that time.

• Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)

  • Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.

• Fixed a compiler warnings from the GitHub build tester (Bug 214143)

Release notes for 2.53

• The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)

  • Added a test case for this too.

• Lots of tyops fixed in code and documentation (also by Samanta Navarro)

• Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)

  • These distributions failed to observe a runnable pam_cap.so and various make options failed.

• Support clang builds (again). (Reported by Johan Herland 214047)

  • This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.

• Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.

  • Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.

Release notes for 2.52

• Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)

• The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!

  • The support is used to display some description information.

  • To activate it, these binaries need to be installed executable (chmod +x ...)

  • We also provided a write-up of how to enable this sort of feature in other .so files here.

• The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).

• Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.

• Added capsh --current support.

• Minor documentation updates.

• Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.

  • This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.

  • At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.

Release notes for 2.51

• Fix capsh installation (Bug 213261 - reported by Jan Palus) 

• Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)

• Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)

  • This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages

• API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.

  • This can be used to raise all the Permitted capabilities in a Set with one API call.

• In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).

  • This is with an eye to the imminent golang change removing support for GOPATH based building.

• Minor compilation warning fixes

Release notes for 2.50

• Some new capsh features:

  • --explain=cap_foo: describe what cap_foo does (Bug 212451)

  • --suggest=phrase: search all the cap descriptions and describe those that match the phrase

• Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)

  • extend libcap to include cap_prctl() and cap_prctlw() functions to regain feature parity with Go "cap" package. These are only needed when linking against -lpsx for keepcaps POSIX semantics.

  • this likely requires substantial application changes to make Ambient capability support usable in general, but doing our part for the admin.

• Add a test case for recent kernel fix (Bug 212737)

• Go pragma fix for convenience functions in "cap" module (reported by Lorenz Bauer. Bug 212321)

• Minor man documentation updates

• Minor build tree improvements (mostly for maintainer)

Release Notes for 2.49

• Implement cap_func_launcher() and cap.FuncLauncher(). This was a feature request from Gregory Fuchedzhy  (Bug 211919)

  • Modified the internals of "cap" to allow cap.SetProc() and friends from within the launcher callback function.

  • Prior to this release, such calls would deadlock. Updated the docs to explain this new freedom.

• More robust "psx" redirection for nocgo compilation - the documentation for the cgo implementation is now included in the nocgo one because the go.dev automated documentation builds the docs from the nocgo version.

• Lots of documentation cleanups and added a few man pages: for IAB and Launching.

• A little Makefile manipulation to:

  • better use musl when requested (ie., with cgo compilation)

  • execute kernel tests on demand that don't require human interaction to closed the QEMU terminal

• Some general no-op License changes that might cause folk to notice but only for formatting reasons. These were initially inspired by some lawyerly interactions, but I ended up rolling back half of them because they confused automated software infrastructure.

Release notes for 2.48

• More uniform use of $(MAKE) in Makefiles - fixes from Andrew Delgadillo

• No longer include symlinks in the git tree (any that are needed are built as part of make ...)

• Provide support for make GOLANG=no ...

• Provide support for pointing at a specific build of the go binary. Ex. make GO=~/sdk/go1.16rc1/bin/go ...

• camelCase the contrib/seccomp/explore.go program

• A number of documentation fixes to man pages and source code comments

• Last use of GO major version 0 (all subsequent Go module releases will be 1.2.* etc.)

  • We've provided tagged cap/v1.2.48 and psx/v1.2.48 Go modules, slightly past the official libcap-2.48 tags, but with the Go code identical to the 0.2.48 versions.

  • Baring a backwardly incompatible change to Go, we have no plans for using a GO major version 0 (again) or 2.

Release notes for 2.47

• Changes to the goapps/gowns example for exploring namespaces with Go (cap and psx).

• NOPRIV libcap mode now also employs NO_NEW_PRIVS prctl bit.

• Improved cap documentation.

• Refactored psx and cap go modules to place the cgo or nocgo build options into psx explicitly

  • remove the allthreadssycall build tag support (go1.16 version tag works instead).

• Add help and license info to getcap and friends.

Release notes for 2.46

• The bulk of this release concerns fixes and improvements to lib[psx]:

  • Allow a dying thread to participate in the psx-fixup mechanism - bug

  • Golang had some issues with lib[psx]using SIGRTMAX for the psx-fixup mechanism - bug#210533 (reported by Lorenz Bauer)

    • lib[psx] now interrupts SIGSYS (probably still needs some work to support the signal pass-through)

  • The psx Go package, because it contained a sub-directory with only a .h header in it, did not work with Golang module vendoring (reported by Lorenz Bauer)

    • we've collapsed down the whole libcap/psx directory to be flat now

  • The 6-argument psx_syscall6() and psx.Syscall6() now work - bug#210613 (reported by Lorenz Bauer)

  • Refactored the way Go package"cap" decides whether or not to use syscall.AllThreadsSyscall*() or the psx-fixup mechanism into the "psx" package. This way, all that build complexity resides in the "psx" package, which should also make that package more useful for other applications.

    • Compile more things CGO_ENABLED=0 where there is support.

    • Discovered a Golang bug so can't do it with psx-signals for this libcap release.

• Cleanup of build tree:

  • Deleted the POSIX semantics validation tests for Golang. I've long since migrated them to the golang source tree.

  • Added some .gitignore entries for build targets.

  • Made libcap/kdebug make target work again and run progs/quicktest.sh to completion.

• Started to develop goapps/gowns a program that can work with capabilities and Containers. Not too much functionality yet.

Release notes for 2.45

• Fix the capsh == argument handling and add a test case - bug#209873 (report by Marcus Gelderie)

• Add support for libpsx.so building - bug#206093

  • Documented reason libpsx exists with an example of the class of exploit it protects against

  • Cleaned up man page

• Added build support for systems that do not support libpthread (make PTHREADS=no ...)  - bug#209875 (requested by Heiko Thiery)

• Added build support for not building shared libraries (make SHARED=no ...)  (requested by Heiko Thiery)

Release notes for 2.44

Generally, this is a release to help package builders: no functional change to any of the generated code just documentation and make related fixes.

• 2.43 was a regression for cross-compilation purposes Rolf Eike Beer provided two patches to address this.

• Recent golang builds (pre-release) default to ignoring GOPATH, so adjust the in-tree building to override this explicitly with GO111MODULE=off

• Support testing of a DYNAMIC=yes build with the shared libraries (in collaboration with Thomas Petazzoni)

  • This includes only requiring a statically linked version of capsh (tcapsh-static) with sudotest

  • Thomas Petazzoni verified that uClibc can also build statically.

• Support build trees that have no pthreads in the environment (request from Fabrice Fontaine)

• Go package document updates since golang 1.15 is released.

Release notes for 2.43

• Linus' kernel tree defines CAP_CHECKPOINT_RESTORE (40) so support it.

• Fix the creation of the $(FAKEROOT)$(LIBDIR) for split install targets - fix from Christian Kastner

• Clean up a binary from the distribution - observation and fix from Petr Ovtchenkov

  • This was inadvertently left over from my first attempt to deprecate the manual psx wrapping.

  • Added some more release time checks for non-git tracked files.

• Fix a deadlock in libpsx that surfaced with a set of compiler optimizations by removing the psx wrapping harder.

Older release notes

Click through to release notes pre-libcap-2.43 which were automatically imported from the older Google Sites layout.