- updated to 2.69
- An audit was performed on libcap and friends by https://x41-dsec.de/ (blog) . The audit (final report, 2023-05-10) was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows:
- LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir (bsc#1211418)
- LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger (bsc#1211419)
- LCAP-CR-23-100 (SEVERITY) NONE
- LCAP-CR-23-101 (SEVERITY) NONE
- LCAP-CR-23-102 (SEVERITY) NONE
- Man page style improvement from Emanuele Torre (forwarded request 1087355 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/1087357
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=59
- updated to 2.69
- An audit was performed on libcap and friends by https://x41-dsec.de/ (blog) . The audit (final report, 2023-05-10) was sponsored by the the Open Source Technology Improvement Fund, https://ostif.org/ (blog). Five issues were found. Four of them are addressed in this release. Each issue was labeled in the audit results as follows:
- LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir (bsc#1211418)
- LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger (bsc#1211419)
- LCAP-CR-23-100 (SEVERITY) NONE
- LCAP-CR-23-101 (SEVERITY) NONE
- LCAP-CR-23-102 (SEVERITY) NONE
- Man page style improvement from Emanuele Torre
OBS-URL: https://build.opensuse.org/request/show/1087355
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=83
- update to 2.68:
* Force libcap internal functions to be hidden outside the library
* Expanded the list of man page (links) to all of the supported API
functions.
* fixed some formatting issues with the libpsx(3) manpage.
* Add support for a markdown preamble and postscript when generating
.md versions of the man pages (Bug 217007)
* psx package clean up
* fix some copy-paste errors with TestShared()
* added a more complete psx testing into this test as well
* cap package clean up
* drop an unnecessary use of ", _" in the sources
* cleaned up cap.NamedCount documentation
* Converted goapps/web/README to .md format and fixed the
instructions to indicate go mod tidy is needed.
* cap_compare test binary now cleans up after itself (Bug 217018)
* Figured out how to cross compile Go programs for arm (i.e. RPi) that
use C code, don't use cgo but do use the psx package
* Eliminate use of vendor directory
OBS-URL: https://build.opensuse.org/request/show/1075562
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=58
* Force libcap internal functions to be hidden outside the library
* Expanded the list of man page (links) to all of the supported API
functions.
* fixed some formatting issues with the libpsx(3) manpage.
* Add support for a markdown preamble and postscript when generating
.md versions of the man pages (Bug 217007)
* psx package clean up
* fix some copy-paste errors with TestShared()
* added a more complete psx testing into this test as well
* cap package clean up
* drop an unnecessary use of ", _" in the sources
* cleaned up cap.NamedCount documentation
* Converted goapps/web/README to .md format and fixed the
instructions to indicate go mod tidy is needed.
* cap_compare test binary now cleans up after itself (Bug 217018)
* Figured out how to cross compile Go programs for arm (i.e. RPi) that
use C code, don't use cgo but do use the psx package
* Eliminate use of vendor directory
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=81
* Replace use of fgrep with grep -F (POSIX grep flags preferred by
GNU grep) - patch from David Seifert.
* Added SPDX identifiers to License file(s). Hopefully this will
help the various robots out there correctly identify the
longstanding licenses for libcap and friends. (Bug: 216609
reported by Günther Noack)
* Started down the rabbit hole of trying to address (Bug: 216610
reported by Günther Noack on behalf of Michael Stapelberg)
* The basic issue is how to link C code with Go psx without using
CGo. This is all a low level hackery. If you are interested,
browse the source.
* Correct for bad whatis entries in man pages (this was throwing a
Debian build test, detail)
* Also reviewed man pages and addressed cross linkage issues (Bug:
* Cleaned up some README.md files (made a github mirror now just so
I can automatically render them).
* Changed meaning of DYNAMIC=no builds.
This now builds everything with static linking except for libc.
The reason for this exception is explained in the commit message.
* Inserted demonstration exploit code in capso.so to support
article.
* Minor clarification to cap_get_pid() man page concerning pid
value within namespaces.
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=75
- update to 2.66:
* Fix documentation typos in cap_from_text.3
* Some getpcaps code clean up and a fix for PID argument parsing from Jakub
Wilk.
* Slightly more robust Makefiles to address an error with make -j48 test observed
* Include a simple Go program, captrace, to trace kernel capability validation
checks
* This program can be used to figure out what capabilities a program needs to
operate.
* captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel for
capability checks and whether or not they succeed for the system, a specific
PID or a program's direct execution.
* Trim down the default file capabilities for contrib/sucap/su to those actually
needed and set USER and HOME environment variables so bash doesn't complain
about a sourcing error.
OBS-URL: https://build.opensuse.org/request/show/1007104
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=55
* Fix documentation typos in cap_from_text.3
* Some getpcaps code clean up and a fix for PID argument parsing from Jakub
Wilk.
* Slightly more robust Makefiles to address an error with make -j48 test observed
* Include a simple Go program, captrace, to trace kernel capability validation
checks
* This program can be used to figure out what capabilities a program needs to
operate.
* captrace (a wrapper for bpftrace) uses BPF kprobes to monitor the kernel for
capability checks and whether or not they succeed for the system, a specific
PID or a program's direct execution.
* Trim down the default file capabilities for contrib/sucap/su to those actually
needed and set USER and HOME environment variables so bash doesn't complain
about a sourcing error.
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=73
- update to 2.65:
* Fix syntax error in DEBUG build of protected code in setcap.c.
* Prevent bash from reading the wrong startup files when the capsh --user=xxx
argument is used to invoke a shell as the user xxx. This is done by capsh now
changing the USER and HOME environment variables when --user is specified.
The argument --noenv can be used to suppress this behavior to what used to be
the problematic default. (Bug: 215926)
* Improved documentation
OBS-URL: https://build.opensuse.org/request/show/990728
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=54
* Fix syntax error in DEBUG build of protected code in setcap.c.
* Prevent bash from reading the wrong startup files when the capsh --user=xxx
argument is used to invoke a shell as the user xxx. This is done by capsh now
changing the USER and HOME environment variables when --user is specified.
The argument --noenv can be used to suppress this behavior to what used to be
the problematic default. (Bug: 215926)
* Improved documentation
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=71
* Fix memory leak in libpsx at program exit.
* Be more resilient to CGo configuration with Go compiler when building tests.
* Fix cap_*prctl() return code/errno handling.
* Minor clarification to cap_get_pid() man page concerning pid value within namespaces.
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=69
* restore errno to zero by the time main() is executed
* Consistent psx handling (a panic) for syscalls that return thread dependent
status Inconsistend behavior noticed by Lorenz Bauer
* Add a test case for a deadlock under investigation in golang
* Trim some of the #include file use to make the tree compile more
efficiently
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=67
- update to 2.59:
* Fixed a potential libcap memory leak by adding a destructor
* Major improvement is that there is a path for Linux-PAM compliant
applications to support setting Ambient vector Capabilities via pam_cap.so now
* Added libcap cap_proc_root() API function
* Added color support to captree
* Fixed contrib/sucap/su to correctly handle the Inheritable flag
* capsh enhancements
* getcap -r / now generates readable output
* The shared library objects: pam_cap.so, libcap.so and libpsx.so, are all now
runnable as standalone binaries
* The module pam_cap.so now contains support for a default=<IAB> module argument
* Enhanced capsh --suggest to also compare against the capability value names
and not just their descriptions
* Added capsh --current support
* Added a contrib/sucap/su.c pure-capabilities PAM implementation of su
* Fix for a corner case infinite loop handling long strings
* Added libcap cap_iab_compare() and cap_iab_get_pid() APIs
* Added a Go utility, captree, to display the process (and thread) graph along with
the POSIX.1e and IAB capabilities of each PID{TID} tree.
OBS-URL: https://build.opensuse.org/request/show/921983
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=64
- update to 2.51:
* Fix capsh installation
* Add an autoauth module flag to pam_cap.so
* Unified libcap/cap (Go) and libcap (C) default generation of external format binary data
* API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one
capability flag to another.
* --explain=cap_foo: describe what cap_foo does
* --suggest=phrase: search all the cap descriptions and describe those that match the phrase
* Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)
* extend libcap to include cap_prctl() and cap_prctlw() functions to regain
feature parity with Go "cap" package. These are only needed when linking
against -lpsx for keepcaps POSIX semantics.
* this likely requires substantial application changes to make Ambient
capability support usable in general, but doing our part for the admin.
* Add a test case for recent kernel fix
* Go pragma fix for convenience functions in "cap" module
OBS-URL: https://build.opensuse.org/request/show/906773
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=47
* Fix capsh installation
* Add an autoauth module flag to pam_cap.so
* Unified libcap/cap (Go) and libcap (C) default generation of external format binary data
* API enhancement cap_fill() and (*cap.Set).Fill() - to permit copying one
capability flag to another.
* --explain=cap_foo: describe what cap_foo does
* --suggest=phrase: search all the cap descriptions and describe those that match the phrase
* Add "keepcaps" module argument support to pam_cap.so (reported by Zoltan Fridrich. Bug 212945)
* extend libcap to include cap_prctl() and cap_prctlw() functions to regain
feature parity with Go "cap" package. These are only needed when linking
against -lpsx for keepcaps POSIX semantics.
* this likely requires substantial application changes to make Ambient
capability support usable in general, but doing our part for the admin.
* Add a test case for recent kernel fix
* Go pragma fix for convenience functions in "cap" module
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=63
- update to 2.49:
* Implement cap_func_launcher() and cap.FuncLauncher().
* More robust "psx" redirection for nocgo compilation - the documentation for
the cgo implementation is now included in the nocgo one because the go.dev
automated documentation builds the docs from the nocgo version.
* Lots of documentation cleanups and added a few man pages: for IAB and
Launching.
* Some general no-op License changes that might cause folk to notice but only
for formatting reasons. These were initially inspired by some lawyerly
interactions, but I ended up rolling back half of them because they
confused automated software infrastructure.
OBS-URL: https://build.opensuse.org/request/show/880541
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=44
* Implement cap_func_launcher() and cap.FuncLauncher().
* More robust "psx" redirection for nocgo compilation - the documentation for
the cgo implementation is now included in the nocgo one because the go.dev
automated documentation builds the docs from the nocgo version.
* Lots of documentation cleanups and added a few man pages: for IAB and
Launching.
* Some general no-op License changes that might cause folk to notice but only
for formatting reasons. These were initially inspired by some lawyerly
interactions, but I ended up rolling back half of them because they
confused automated software infrastructure.
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=57
- update to 2.48:
* More uniform use of $(MAKE) in Makefiles
* No longer include symlinks in the git tree
* Provide support for make GOLANG=no ...
* Provide support for pointing at a specific build of the go binary
* camelCase the contrib/seccomp/explore.go program
* A number of documentation fixes to man pages and source code comments
* Last use of GO major version 0
OBS-URL: https://build.opensuse.org/request/show/870717
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcap?expand=0&rev=43
* More uniform use of $(MAKE) in Makefiles
* No longer include symlinks in the git tree
* Provide support for make GOLANG=no ...
* Provide support for pointing at a specific build of the go binary
* camelCase the contrib/seccomp/explore.go program
* A number of documentation fixes to man pages and source code comments
* Last use of GO major version 0
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=55
* Restructured gowns to default to uid base of getuid().
* Augment NOPRIV libcap mode with the sticky NO_NEW_PRIVS prctl bit.
* Improve the usage and diagnostic message for setcap
* Documentation fixes, license declarations, example updates
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=53
* The bulk of this release concerns fixes and improvements to libpsx
* Fix the capsh == argument handling and add a test case
* Added build support for systems that do not support libpthread
* Added build support for not building shared libraries
OBS-URL: https://build.opensuse.org/package/show/Base:System/libcap?expand=0&rev=48
