Revived old setcap/getcap manual pages and added support for removing file caps

Make.Rules

@@ -57,6 +57,7 @@ LD=ld
 LDFLAGS=-s #-g
 
 KERNEL_HEADERS = /usr/include
+SYSTEM_HEADERS = /usr/include
 IPATH += -I$(topdir)/libcap/include
 INCS=$(topdir)/libcap/include/sys/capability.h
 LIBS=-L$(topdir)/libcap -lcap

doc/cap_get_file.3

@@ -6,7 +6,7 @@
 .SH NAME
 cap_get_file, cap_set_file, cap_get_fd, cap_set_fd \- capability manipulation on files
 .sp
-.B "    PLEASE NOTE NONE OF THESE FUNCTIONS ARE IMPLEMENTED IN 0.102. NEITHER IS THERE SUPPORT FOR THEM IN LINUX 2.1.102."
+.B "    Note: support for file capabilities is anticipated in Linux 2.6.23+"
 .SH SYNOPSIS
 .B
 .sp
@@ -50,10 +50,15 @@ pointed to by
 or the file open on descriptor
 .IR fd ,
 with the capability state identified by
-.IR cap_p . 
-The new capability state of the file shall be completely determined by the
-contents of 
 .IR cap_p .
+The new capability state of the file shall be completely determined by the
+contents of
+.IR cap_p .
+A
+.IR NULL
+value for
+.IR cap_p
+is used to indicate that capabilities for the file should be deleted.
 For these functions to succeed, the calling process must have the
 .B CAP_SETFCAP
 capability enabled and either the effective user ID of the process must match

libcap/Makefile

@@ -46,7 +46,7 @@ $(MINLIBNAME): $(OBJS)
 <<<<<<< HEAD:libcap/Makefile
 =======
 cap_sys.o: cap_sys.c $(INCLS)
-	$(CC) $(IPATH) -fPIC -Wall -O2 -c $< -o $@
+	$(CC) -include $(SYSTEM_HEADERS)/linux/unistd.h $(IPATH) -fPIC -Wall -O2 -c $< -o $@
 
 >>>>>>> Add tentitive support for filesystem capabilities with 2.6.23-mm kernels:libcap/Makefile
 install: all

libcap/cap_file.c

@@ -134,7 +134,10 @@ int cap_set_fd(int fildes, cap_t cap_d)
 {
     struct vfs_cap_data rawvfscap;
 
-    if (_fcaps_save(&rawvfscap, cap_d) != 0) {
+    if (cap_d == NULL) {
+	_cap_debug("deleting fildes capabilities");
+	return fremovexattr(fildes, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d) != 0) {
 	return -1;
     }
 
@@ -152,7 +155,10 @@ int cap_set_file(const char *filename, cap_t cap_d)
 {
     struct vfs_cap_data rawvfscap;
 
-    if (_fcaps_save(&rawvfscap, cap_d) != 0) {
+    if (cap_d == NULL) {
+	_cap_debug("removing filename capabilities");
+	return removexattr(filename, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d) != 0) {
 	return -1;
     }
 

progs/setcap.c

@@ -14,8 +14,8 @@
 static void usage(void)
 {
     fprintf(stderr,
-	    "usage: setcap [-q] (-|<caps>) <filename> "
-	    "[ ... (-|<capsN>) <filenameN> ]\n"
+	    "usage: setcap [-q] (-r|-|<caps>) <filename> "
+	    "[ ... (-r|-|<capsN>) <filenameN> ]\n"
 	);
     exit(1);
 }
@@ -71,28 +71,33 @@ int main(int argc, char **argv)
 	    quiet = 1;
 	    continue;
 	}
-	if (!strcmp(*argv,"-")) {
-	    retval = read_caps(quiet, *argv, buffer);
-	    if (retval)
+	if (!strcmp(*argv,"-r")) {
+	    cap_d = NULL;
+	} else {
+	    if (!strcmp(*argv,"-")) {
+		retval = read_caps(quiet, *argv, buffer);
+		if (retval)
+		    usage();
+		text = buffer;
+	    } else {
+		text = *argv;
+	    }
+
+	    cap_d = cap_from_text(text);
+	    if (cap_d == NULL) {
+		perror("fatal error");
 		usage();
-	    text = buffer;
-	} else
-	    text = *argv;
-
-	cap_d = cap_from_text(text);
-	if (cap_d == NULL) {
-	    perror("fatal error");
-	    usage();
-	}
+	    }
 #ifdef DEBUG
-	{
-	    ssize_t length;
-	    const char *result;
+	    {
+		ssize_t length;
+		const char *result;
 
-	    result = cap_to_text(cap_d, &length);
-	    fprintf(stderr, "caps set to: [%s]\n", result);
-	}
+		result = cap_to_text(cap_d, &length);
+		fprintf(stderr, "caps set to: [%s]\n", result);
+	    }
 #endif
+	}
 
 	if (--argc <= 0)
 	    usage();
@@ -104,7 +109,9 @@ int main(int argc, char **argv)
 	    usage();
 	}
 
-	cap_free(cap_d);
+	if (cap_d) {
+	    cap_free(cap_d);
+	}
     }
 
     return 0;