Release notes for libcap et al
Quick Summary of Major Release Features
2.69 - resolving issues revealed by a security audit of libcap and friends.
2.68 - mostly documentation related fixes; for the first time employ the __attribute__((visibility ("hidden"))) attribute to enfoce the libcap documented API; more fun extending the non-cgo linking-C psx example to cross compile for arm.
2.67 - mostly documentation fixes/clarifcations including SPDX entries in the License files; some fun contrib changes relating to C and Go.
2.66 - small fixes; added a captrace utility to help figure out what capabilities a privileged program actually needs.
2.65 - prevent capsh --user from generating bash errors; some debugging and documentation fixes.
2.64 - minor bug fixes including errno handling by cap_*prctl() functions.
2.63 - restore errno to zero for main execution; consistent behavior for "psx" package if syscall results differ.
2.62 - bugfix for Go package "cap" Launch feature; introduce HYBRID mode; minor documentation updates ; build warning fixes for 32-bit platforms.
2.61 - better number parsing in capsh and setcap; fixed segfaulting in .so executables; added example of capable shared library object.
2.60 - make libcap and the cap package much more thread safe (better atomicity of API); build and linting fixes; added cap_fill_flag() API; implemented --quiet and -+ and =+ support in capsh
2.59 - bugfix to not segfault as much (cap_t = NULL is recognized with a failure vs. SIGSEGV); minor doc fixes
2.58 - free memory on library exit; pam_cap.so can now set Ambient vectors with Linux-PAM compliant apps; doc cleanups.
2.57 - More Makefile cleanups (don't build tests unless testing); --mode and --strict capsh args; clean up getcap -r / output.
2.56 - More Makefile cleanups; fixed a bug in test_pam_cap; fix sucap/su Inheritable flag handling; enhance captree.
2.55 - Tons of static analysis fixes; captree now has a man page and more features; revamped way libcap manages memory
2.54 - fix a memory leak in cap_iab_get_proc() and verify allocation; fix error handling in cap_reset_ambient(); add an IAB comparison API; add a captree Go binary and support getpcap --iab; absorb some downstream package patches.
2.53 - bug fix for cap_launch (error propagation); support clang (again); documentation fixes and updates
2.52 - *.so can be run as standalone binaries; pam_cap.so has default argument; capsh has --current argument; include a fully capable su implementation.
2.51 - resurrected capsh install target(!); pam_cap.so new autoauth arg; added cap_fill() API; support for golang 1.17 builds
2.50 - documentation updates, including capsh --explain and --suggest options
2.49 - add a lower overhead launching function cap_func_launch() and cap.FuncLaunch() with lots of doc updates
2.48 - some Makefile and documentation fixes; adopt Go module major version 1 (now that go1.16rc1 is out)
2.47 - minor update, add use of PR_SET_NO_NEW_PRIVS to libcap mode NOPRIV
2.46 - so many fixes for libpsx, it is probably not worth using earlier versions
2.45 - fix capsh "==" option and libpsx support
2.44 - make related features allow building for pthread-less systems
2.43 - Add support for CAP_CHECKPOINT_RESTORE, libpsx.a considered stable
2.41 - cap_to_text() generates more compact text representation Go and C support at parity
2.40 - documentation updates
2.39 - musl libc support
2.37 - Add support for CAP_BPF and "Go module" support for "psx" and "cap"
2.36 - Add support for CAP_PERFMON
2.35 - pam_cap.so now allows PAM_REINITIALIZE_CRED
2.34 - capsh supports overriding the shell for "--" (default to bash, but can override that too)
2.33 - introduced IAB abstraction for 3 flavors of inheritable capability: pam_cap.so uses this text representation for config. Introduced cap_launch functionality (for launching a lesser privileged child process from a POSIX semantics libcap multi-threaded program)
2.31 - documentation updates
2.30 - revived the 'all' keyword for capabilities. This was broken by a kernel change at some point, and has been unusable ever since. Now defined to mean "all the capabilities named by the hosting kernel".
2.29 - pam_cap.so supports @group syntax and first hints of an IAB text representation. libcap introduces cap_modes.
2.28 - first release of libpsx (providing POSIX semantics for system calls), to support POSIX semantics for libcap for the first time - a bit buggy in this release; this also enabled a working port of libcap to native Go.
2.27 - this has been out there so long, we can call this the assumed feature set.
Release notes for 2.69
2023-05-14 19:10:04 -0700An audit was performed on libcap and friends by https://x41-dsec.de/ (blog) . The audit (final report, 2023-05-10) was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows:
LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir
LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger
LCAP-CR-23-100 (SEVERITY) NONE
LCAP-CR-23-101 (SEVERITY) NONE
LCAP-CR-23-102 (SEVERITY) NONE
Man page style improvement from Emanuele Torre
Partially revive the ability to build the binaries fully statically.
This was needed to make bleeding edge kernel debugging/testing via qemu+busybox work again. Addressing an issue I realized only when I tried to answer this stackexchange question.
Release notes for 2.68
2023-03-25 17:03:17 -0700Force libcap internal functions to be hidden outside the library (Bug 217014)
Expanded the list of man page (links) to all of the supported API functions.
fixed some formatting issues with the libpsx(3) manpage.
Add support for a markdown preamble and postscript when generating .md versions of the man pages (Bug 217007)
psx package clean up
fix some copy-paste errors with TestShared()
added a more complete psx testing into this test as well
cap package clean up
drop an unnecessary use of ", _" in the sources
cleaned up cap.NamedCount documentation
Converted goapps/web/README to .md format and fixed the instructions to indicate go mod tidy is needed.
cap_compare test binary now cleans up after itself (Bug 217018)
Figured out how to cross compile Go programs for arm (i.e. RPi) that use C code, don't use cgo but do use the psx package (all part of investigating bug 216610).
Eliminate use of vendor directory
Release notes for 2.67
2023-02-02 20:10:27 -0800Replace use of fgrep with grep -F (POSIX grep flags preferred by GNU grep) - patch from David Seifert.
Added SPDX identifiers to License file(s). Hopefully this will help the various robots out there correctly identify the longstanding licenses for libcap and friends. (Bug: 216609 reported by Günther Noack)
Started down the rabbit hole of trying to address (Bug: 216610 reported by Günther Noack on behalf of Michael Stapelberg)
The basic issue is how to link C code with Go psx without using CGo. This is all a low level hackery. If you are interested, browse the source.
Correct for bad whatis entries in man pages (this was throwing a Debian build test, detail)
Also reviewed man pages and addressed cross linkage issues (Bug: 216585)
Cleaned up some README.md files (made a github mirror now just so I can automatically render them).
Changed meaning of DYNAMIC=no builds.
This now builds everything with static linking except for libc. The reason for this exception is explained in the commit message.
Inserted demonstration exploit code in capso.so to support article.
Release notes for 2.66
2022-09-24 13:37:39 -0700Fix documentation typos in cap_from_text.3 (Bug: 216514 reported by Paulo Andrade.)
Some getpcaps code clean up and a fix for PID argument parsing from Jakub Wilk.
Slightly more robust Makefiles to address an error with make -j48 test observed by Tomasz Kłoczko.
Include a simple Go program, captrace, to trace kernel capability validation checks
This program can be used to figure out what capabilities a program needs to operate.
captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel for capability checks and whether or not they succeed for the system, a specific PID or a program's direct execution.
Trim down the default file capabilities for contrib/sucap/su to those actually needed and set USER and HOME environment variables so bash doesn't complain about a sourcing error.
Release notes for 2.65
2022-07-17 15:33:06 -0700Fix syntax error in DEBUG build of protected code in setcap.c. (Bug reported by yixiangzhike.)
Prevent bash from reading the wrong startup files when the capsh --user=xxx argument is used to invoke a shell as the user xxx. This is done by capsh now changing the USER and HOME environment variables when --user is specified. The argument --noenv can be used to suppress this behavior to what used to be the problematic default. (Bug: 215926)
Improved documentation:
Man page info for cap_get_pid() and cap_reset_ambient(). (Bug reports from nomonemo and Tinkerer One.)
Improve documentation and help for the captree program.
Updated go/Makefile comment about an unfixed Go runtime bug in go1.16 and go1.17 (resolved in go1.18+), and the deadlock behavior of the psx-fd test.
Refresh the signatures on the two GPG keys morgan@ uses. The 4096 bit one is preferred, but the older one is also used for continuity reasons. This set of signatures should also be available from the various key servers out there.
Release notes for 2.64
2022-04-10 15:39:39 -0700Fix memory leak in libpsx at program exit. (Bug: 215551 reported by Kalen Hall)
Be more resilient to CGo configuration with Go compiler when building tests. (Bug: 215603)
Fix cap_*prctl() return code/errno handling. (Bug: 215772 reported by Anderson Toshiyuki Sasaki)
Minor clarification to cap_get_pid() man page concerning pid value within namespaces. (Bug: 215812)
Release notes for 2.63
2022-01-23 16:36:22 -0800Restore errno to zero by the time main() is executed
Bug reported by Yang Xu
Consistent psx handling (a panic) for syscalls that return thread dependent status
Inconsistend behavior noticed by Lorenz Bauer (Bug: 215283)
Add a test case for a deadlock under investigation in golang #50113
Bug reported by Weixiao Huang
Trim some of the #include file use to make the tree compile more efficiently
Release notes for 2.62
2021-12-11 18:06:34 -0800Bug fix for Go package "cap" and launching:
There was a race condition, reported by Lorenz Bauer (Bug: 215283)
Build cleanups:
David Seifert cleaned up warnings for 32-bit builds
No longer use Perl in the libcap build process (Gentoo had a compelling reason to avoid this dependency)
Documentation updates: cap_max_bits has a man page entry; Go module cap updates for Launch detail.
Recognize default securebits as a libcap mode: HYBRID.
[ Nothing to do with libcap, but this release was used to expose a gcc bug as per: 103961 ]
Release notes for 2.61
2021-11-20 22:20:04 -0800 Better error handling of the numerical arguments for capsh and setcap.
Fix executable mode for all of the .so files. There were two situations where this was failing (with a hard to debug SIGSEGV inside libc). Bugs reported by Sam James. Both the same solution related to stack alignment and use of SSE instructions:
Added an example of a shared library object with its own file capability.
It demonstrates how to give a shared library a file capability and offer it as a linkable privileged API service to an otherwise unprivileged binary.
Fix the top-level include for Make.Rules in the contrib/sucap example application
Add support for running constructors at libcap.so start up time when running as stand alone binary.
This enables the binary executable to print out some dynamically generated content when given the --summary argument.
Release notes for 2.60
2021-10-22 21:29:14 -0700Some build, code linting fixes, the addition of the cap_fill_flag() API and a memory latency optimization contributed by Google (Bugs: 214579 214601 214599)
General improvement in thread safety for libcap and cap package (Bug: 214715)
Minor API change replacing libcap:cap_launch_*() void returning functions with int + errno status returns.
This should be backwardly compatible for code.
Added a cap_iab_dup(), and (*cap.IAB).Dup() to API.
Fixed (*cap.IAB).Fill() which was previously malfunctioning for certain Inh and Amb copies.
New features for capsh
--quiet can be used to suppress the start up check that the local libcap is modern enough to name all of the capabilities known to the hosting kernel
Added -+ and =+ arguments. These are fork+exec equivalents to -- and == respectively (that use the cap_launch API).
Release notes for 2.59
2021-09-26 18:20:33 -0700libcap-2.55 ... 2.58 would SIGSEGV if an operation was attempted on a NULL value for cap_t or cap_iab_t. Restore the more tolerant error return behavior last seen with libcap-2.54. (Bug 214525)
More make -j13 fixes (missing dependency for make -C progs sudotest).
Various minor documentation fixes.
Release notes for 2.58
2021-09-17 19:35:29 -0700Fixed a potential libcap memory leak by adding a destructor (Bug 214373 reported by yan12125)
Major improvement is that there is a path for Linux-PAM compliant applications to support setting Ambient vector Capabilities via pam_cap.so now (Bug 214377)
In addition to the bug, related discussion is in two Github issues: https://github.com/shadow-maint/shadow/pull/408#issuecomment-919673098 and https://github.com/rra/pam-krb5/issues/21
Added support for RPM builds that generate the build-id that RPM expects (see https://github.com/rpm-software-management/rpm/issues/367 for discussion)
Minor contrib/sucap/su.c cleanups
Clean up kdebug build rules
More documentation cleanup
Release notes for 2.57
2021-09-09 13:57:36 -0700capsh enhancements:
--mode makes a guess at the libcap mode of the current process (Bug 214319)
--strict makes capsh less permissive and expects the user to perform more deliberate capability transactions
useful for learning all the steps; and helps this article be more pedagogical.
Build system fixes
Preserve $(WARNINGS) (Fix from David Seifert)
Don't ever build test binaries unless make test etc is invoked (speeds builds on slower systems)
Support make -j12 for all, test and sudotest targets
getcap -r / now generates readable output (Bug 214317)
Some documentation cleanup: more consistency.
Release notes for 2.56
2021-09-02 20:03:32 -0700Canonicalize the Makefile use (in collaboration with David Seifert)
In the process fixed a bug in pam_cap/test_pam_cap (reported by David Seifert, Bug 214257)
Doc fixes for cap_iab.3
Added color support to captree, which helped make the following fix generate readable output:
Fixed captree to not display duplicate copies of sub-trees if also exploring their ancestor (Bug 214269)
Fixed contrib/sucap/su to correctly handle the Inheritable flag.
Release notes for 2.55
2021-08-29 18:54:03 -0700Two rounds of fixes for the results of some static analysis performed by Zoltan Fridrich
Removed a clang compilation warning about memory allocation by rewriting the way cap_free() and the various libcap memory allocation mechanisms work. (Bug 214183)
This generated a few broken builds until it was fixed.
Cleanup of some man pages; some fixes and shorter URL to bugzilla link.
Added libcap cap_proc_root() API function (to reach parity with the Go cap package).
This is only potentially useful with the recently added cap_iab_get_pid() function
Revamped what the GOLANG=yes builds install - used to install local copies of cap and psx, but these were effectively useless because of the Go module support in recent Go releases in favor of user controller GOPATH.
Now make GOLANG=yes only installs the captree utility
Added some features to captree and created a small article on it
Added a man page for the captree utility
Some small changes to the tests to account for the idiosyncrasies of some new testing environments I've accumulated.
Included adding --has-b support to capsh
Release notes for 2.54
2021-08-25 21:09:19 -0700Fix for a corner case infinite loop handling long strings (patch provided by Samanta Navarro)
Fixes to not ignore allocation failures (patch provided by Samanta Navarro)
Evolving work from Samanta Navarro, found and fixed a memory leak in cap_iab_get_proc()
More robust discovery of the name of the dynamic loader of the build target (patch provided by Arnout Vandecappelle)
Revamped the Go capability comparison API for *cap.Set and *cap.IAB: (x).Cf(), and added cap.IABGetPID()
Added libcap cap_iab_compare() and cap_iab_get_pid() APIs.
Added a Go utility, captree, to display the process (and thread) graph along with the POSIX.1e and IAB capabilities of each PID{TID} tree.
Extended getpcaps to support the --iab command line argument, which outputs a PID's IAB tuple too (if non-default).
Install *.so files as executable now that they are executable as binaries
A feature of 2.52 but not extended to install rules at that time.
Absorbed a lot of wisdom from a number of downstream package workarounds including wisdom from (Zhi Li and Arnout Vandecappelle and unknown others... Bugs 214023#c16, 214085)
Support make FORCELINKPAM=yes or make FORCELINKPAM=no for those packagers that feel strongly about not letting this be dynamically discovered at build time.
Fixed a compiler warnings from the GitHub build tester (Bug 214143)
Release notes for 2.53
2021-08-15 19:06:35 -0700The (C) cap_launch functionality was previously broken when launches failed (found and fixed by Samanta Navarro)
Added a test case for this too.
Lots of tyops fixed in code and documentation (also by Samanta Navarro)
Support distributions that aggressively link shared objects (reported by David Runge; Bug 214023)
These distributions failed to observe a runnable pam_cap.so and various make options failed.
Support clang builds (again). (Reported by Johan Herland 214047)
This used to work, but by accident. It broke with the advent of a runnable libcap.so , libpsx.so and pam_cap.so support. Fixed now, and added a build target to validate it still works at release time.
Minor documentation updates including one for Slavi Marinov who was trying to get cap.LaunchFunc() to work.
Worked up a couple of example modifications to goapps/web to demonstrate a different user per web query and enabling a custom chroot per web query.
Release notes for 2.52
2021-08-01 17:49:56 -0700Revived -std=c89 compilation for make all etc. (Bug 213541 reported by Byron Stanoszek.)
The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now runnable as standalone binaries!
The support is used to display some description information.
To activate it, these binaries need to be installed executable (chmod +x ...)
We also provided a write-up of how to enable this sort of feature in other .so files here.
The module pam_cap.so now contains support for a default=<IAB> module argument. (Bug 213611).
Enhanced capsh --suggest to also compare against the capability value names and not just their descriptions.
Added capsh --current support.
Minor documentation updates.
Added a contrib/sucap/su.c pure-capabilities PAM implementation of su.
This is primarily to demonstrate that such a thing is possible, and to validate that the pam_cap.so module is capable of adding any IAB tuple of inheritables per group or user.
At this time, it relies on features only present in this version of libcap and HEAD of the Linux-PAM sources for the pam_unix.so module.
Release notes for 2.51
2021-06-20 16:57:57 -0700Fix capsh installation (Bug 213261 - reported by Jan Palus)
Add an autoauth module flag to pam_cap.so (Bug 213279 - noted a feature request hidden in StackExchange)
Unified libcap/cap (Go) and libcap (C) default generation of external format binary data (Bug 213375 - addressing an issue raised by Mike Schilling)
This standard binary format should be forwards/backwards compatible with earlier libcap2 builds and libcap/cap packages
API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one capability flag to another.
This can be used to raise all the Permitted capabilities in a Set with one API call.
In tree build/run/test of Go packages now uses Go module vendoring (Bug 212453).
This is with an eye to the imminent golang change removing support for GOPATH based building.
Minor compilation warning fixes
Release notes for 2.50
2021-05-24 12:05:16 -0700Some new capsh features:
--explain=cap_foo: describe what cap_foo does (Bug 212451)
--suggest=phrase: search all the cap descriptions and describe those that match the phrase
Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)
extend libcap to include cap_prctl() and cap_prctlw() functions to regain feature parity with Go "cap" package. These are only needed when linking against -lpsx for keepcaps POSIX semantics.
this likely requires substantial application changes to make Ambient capability support usable in general, but doing our part for the admin.
Add a test case for recent kernel fix (Bug 212737)
Go pragma fix for convenience functions in "cap" module (reported by Lorenz Bauer. Bug 212321)
Minor man documentation updates
Minor build tree improvements (mostly for maintainer)
Release Notes for 2.49
2021-03-13 16:26:47 -0800Implement cap_func_launcher() and cap.FuncLauncher(). This was a feature request from Gregory Fuchedzhy (Bug 211919)
Modified the internals of "cap" to allow cap.SetProc() and friends from within the launcher callback function.
Prior to this release, such calls would deadlock. Updated the docs to explain this new freedom.
More robust "psx" redirection for nocgo compilation - the documentation for the cgo implementation is now included in the nocgo one because the go.dev automated documentation builds the docs from the nocgo version.
Lots of documentation cleanups and added a few man pages: for IAB and Launching.
A little Makefile manipulation to:
better use musl when requested (ie., with cgo compilation)
execute kernel tests on demand that don't require human interaction to closed the QEMU terminal
Some general no-op License changes that might cause folk to notice but only for formatting reasons. These were initially inspired by some lawyerly interactions, but I ended up rolling back half of them because they confused automated software infrastructure.
Release notes for 2.48
2021-02-04 21:52:17 -0800More uniform use of $(MAKE) in Makefiles - fixes from Andrew Delgadillo
No longer include symlinks in the git tree (any that are needed are built as part of make ...)
Provide support for make GOLANG=no ...
Provide support for pointing at a specific build of the go binary. Ex. make GO=~/sdk/go1.16rc1/bin/go ...
camelCase the contrib/seccomp/explore.go program
A number of documentation fixes to man pages and source code comments
Last use of GO major version 0 (all subsequent Go module releases will be 1.2.* etc.)
We've provided tagged cap/v1.2.48 and psx/v1.2.48 Go modules, slightly past the official libcap-2.48 tags, but with the Go code identical to the 0.2.48 versions.
Baring a backwardly incompatible change to Go, we have no plans for using a GO major version 0 (again) or 2.
Release notes for 2.47
2021-01-23 18:10:49 -0800Changes to the goapps/gowns example for exploring namespaces with Go (cap and psx).
NOPRIV libcap mode now also employs NO_NEW_PRIVS prctl bit.
Improved cap documentation.
Refactored psx and cap go modules to place the cgo or nocgo build options into psx explicitly
remove the allthreadssycall build tag support (go1.16 version tag works instead).
Add help and license info to getcap and friends.
Release notes for 2.46
2020-12-12 15:58:11 -08:00The bulk of this release concerns fixes and improvements to lib[psx]:
Allow a dying thread to participate in the psx-fixup mechanism - bug
Golang had some issues with lib[psx]using SIGRTMAX for the psx-fixup mechanism - bug#210533 (reported by Lorenz Bauer)
lib[psx] now interrupts SIGSYS (probably still needs some work to support the signal pass-through)
The psx Go package, because it contained a sub-directory with only a .h header in it, did not work with Golang module vendoring (reported by Lorenz Bauer)
we've collapsed down the whole libcap/psx directory to be flat now
The 6-argument psx_syscall6() and psx.Syscall6() now work - bug#210613 (reported by Lorenz Bauer)
Refactored the way Go package"cap" decides whether or not to use syscall.AllThreadsSyscall*() or the psx-fixup mechanism into the "psx" package. This way, all that build complexity resides in the "psx" package, which should also make that package more useful for other applications.
Compile more things CGO_ENABLED=0 where there is support.
Discovered a Golang bug so can't do it with psx-signals for this libcap release.
Cleanup of build tree:
Deleted the POSIX semantics validation tests for Golang. I've long since migrated them to the golang source tree.
Added some .gitignore entries for build targets.
Made libcap/kdebug make target work again and run progs/quicktest.sh to completion.
Started to develop goapps/gowns a program that can work with capabilities and Containers. Not too much functionality yet.
Release notes for 2.45
2020-11-02 17:49:24 2020 -0800Fix the capsh == argument handling and add a test case - bug#209873 (report by Marcus Gelderie)
Add support for libpsx.so building - bug#206093
Documented reason libpsx exists with an example of the class of exploit it protects against
Cleaned up man page
Added build support for systems that do not support libpthread (make PTHREADS=no ...) - bug#209875 (requested by Heiko Thiery)
Added build support for not building shared libraries (make SHARED=no ...) (requested by Heiko Thiery)
Release notes for 2.44
2020-10-04 18:43:17 -0700Generally, this is a release to help package builders: no functional change to any of the generated code just documentation and make related fixes.
2.43 was a regression for cross-compilation purposes Rolf Eike Beer provided two patches to address this.
Recent golang builds (pre-release) default to ignoring GOPATH, so adjust the in-tree building to override this explicitly with GO111MODULE=off
Support testing of a DYNAMIC=yes build with the shared libraries (in collaboration with Thomas Petazzoni)
This includes only requiring a statically linked version of capsh (tcapsh-static) with sudotest
Thomas Petazzoni verified that uClibc can also build statically.
Support build trees that have no pthreads in the environment (request from Fabrice Fontaine)
Go package document updates since golang 1.15 is released.
Release notes for 2.43
2020-08-15 11:17:55 -0700Linus' kernel tree defines CAP_CHECKPOINT_RESTORE (40) so support it.
Fix the creation of the $(FAKEROOT)$(LIBDIR) for split install targets - fix from Christian Kastner
Clean up a binary from the distribution - observation and fix from Petr Ovtchenkov
This was inadvertently left over from my first attempt to deprecate the manual psx wrapping.
Added some more release time checks for non-git tracked files.
Fix a deadlock in libpsx that surfaced with a set of compiler optimizations by removing the psx wrapping harder.
Older release notes
Click through to release notes pre-libcap-2.43 which were automatically imported from the older Google Sites layout.