From 54f055ee34a121d1649b8fefb6071600bebfca61 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <morgan@kernel.org>
Date: Sat, 21 Jul 2007 22:18:02 -0700
Subject: [PATCH] Revived old setcap/getcap manual pages and added support for
 removing file caps

---
 Make.Rules                   |  1 +
 doc/{old => }/cap_get_fd.3   |  0
 doc/{old => }/cap_get_file.3 | 13 +++++++---
 doc/{old => }/getcap.8       |  0
 doc/{old => }/setcap.8       |  0
 libcap/Makefile              |  2 +-
 libcap/cap_file.c            | 10 ++++++--
 progs/setcap.c               | 49 ++++++++++++++++++++----------------
 8 files changed, 47 insertions(+), 28 deletions(-)
 rename doc/{old => }/cap_get_fd.3 (100%)
 rename doc/{old => }/cap_get_file.3 (92%)
 rename doc/{old => }/getcap.8 (100%)
 rename doc/{old => }/setcap.8 (100%)

diff --git a/Make.Rules b/Make.Rules
index 553e479..de20875 100644
--- a/Make.Rules
+++ b/Make.Rules
@@ -57,6 +57,7 @@ LD=ld
 LDFLAGS=-s #-g
 
 KERNEL_HEADERS = /usr/include
+SYSTEM_HEADERS = /usr/include
 IPATH += -I$(topdir)/libcap/include
 INCS=$(topdir)/libcap/include/sys/capability.h
 LIBS=-L$(topdir)/libcap -lcap
diff --git a/doc/old/cap_get_fd.3 b/doc/cap_get_fd.3
similarity index 100%
rename from doc/old/cap_get_fd.3
rename to doc/cap_get_fd.3
diff --git a/doc/old/cap_get_file.3 b/doc/cap_get_file.3
similarity index 92%
rename from doc/old/cap_get_file.3
rename to doc/cap_get_file.3
index e2eb626..c9b727c 100644
--- a/doc/old/cap_get_file.3
+++ b/doc/cap_get_file.3
@@ -6,7 +6,7 @@
 .SH NAME
 cap_get_file, cap_set_file, cap_get_fd, cap_set_fd \- capability manipulation on files
 .sp
-.B "    PLEASE NOTE NONE OF THESE FUNCTIONS ARE IMPLEMENTED IN 0.102. NEITHER IS THERE SUPPORT FOR THEM IN LINUX 2.1.102."
+.B "    Note: support for file capabilities is anticipated in Linux 2.6.23+"
 .SH SYNOPSIS
 .B
 .sp
@@ -50,10 +50,15 @@ pointed to by
 or the file open on descriptor
 .IR fd ,
 with the capability state identified by
-.IR cap_p . 
-The new capability state of the file shall be completely determined by the
-contents of 
 .IR cap_p .
+The new capability state of the file shall be completely determined by the
+contents of
+.IR cap_p .
+A
+.IR NULL
+value for
+.IR cap_p
+is used to indicate that capabilities for the file should be deleted.
 For these functions to succeed, the calling process must have the
 .B CAP_SETFCAP
 capability enabled and either the effective user ID of the process must match
diff --git a/doc/old/getcap.8 b/doc/getcap.8
similarity index 100%
rename from doc/old/getcap.8
rename to doc/getcap.8
diff --git a/doc/old/setcap.8 b/doc/setcap.8
similarity index 100%
rename from doc/old/setcap.8
rename to doc/setcap.8
diff --git a/libcap/Makefile b/libcap/Makefile
index c492559..f875c33 100644
--- a/libcap/Makefile
+++ b/libcap/Makefile
@@ -46,7 +46,7 @@ $(MINLIBNAME): $(OBJS)
 <<<<<<< HEAD:libcap/Makefile
 =======
 cap_sys.o: cap_sys.c $(INCLS)
-	$(CC) $(IPATH) -fPIC -Wall -O2 -c $< -o $@
+	$(CC) -include $(SYSTEM_HEADERS)/linux/unistd.h $(IPATH) -fPIC -Wall -O2 -c $< -o $@
 
 >>>>>>> Add tentitive support for filesystem capabilities with 2.6.23-mm kernels:libcap/Makefile
 install: all
diff --git a/libcap/cap_file.c b/libcap/cap_file.c
index b452b9c..90a2c40 100644
--- a/libcap/cap_file.c
+++ b/libcap/cap_file.c
@@ -134,7 +134,10 @@ int cap_set_fd(int fildes, cap_t cap_d)
 {
     struct vfs_cap_data rawvfscap;
 
-    if (_fcaps_save(&rawvfscap, cap_d) != 0) {
+    if (cap_d == NULL) {
+	_cap_debug("deleting fildes capabilities");
+	return fremovexattr(fildes, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d) != 0) {
 	return -1;
     }
 
@@ -152,7 +155,10 @@ int cap_set_file(const char *filename, cap_t cap_d)
 {
     struct vfs_cap_data rawvfscap;
 
-    if (_fcaps_save(&rawvfscap, cap_d) != 0) {
+    if (cap_d == NULL) {
+	_cap_debug("removing filename capabilities");
+	return removexattr(filename, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d) != 0) {
 	return -1;
     }
 
diff --git a/progs/setcap.c b/progs/setcap.c
index 14e6307..b312212 100644
--- a/progs/setcap.c
+++ b/progs/setcap.c
@@ -14,8 +14,8 @@
 static void usage(void)
 {
     fprintf(stderr,
-	    "usage: setcap [-q] (-|<caps>) <filename> "
-	    "[ ... (-|<capsN>) <filenameN> ]\n"
+	    "usage: setcap [-q] (-r|-|<caps>) <filename> "
+	    "[ ... (-r|-|<capsN>) <filenameN> ]\n"
 	);
     exit(1);
 }
@@ -71,28 +71,33 @@ int main(int argc, char **argv)
 	    quiet = 1;
 	    continue;
 	}
-	if (!strcmp(*argv,"-")) {
-	    retval = read_caps(quiet, *argv, buffer);
-	    if (retval)
+	if (!strcmp(*argv,"-r")) {
+	    cap_d = NULL;
+	} else {
+	    if (!strcmp(*argv,"-")) {
+		retval = read_caps(quiet, *argv, buffer);
+		if (retval)
+		    usage();
+		text = buffer;
+	    } else {
+		text = *argv;
+	    }
+
+	    cap_d = cap_from_text(text);
+	    if (cap_d == NULL) {
+		perror("fatal error");
 		usage();
-	    text = buffer;
-	} else
-	    text = *argv;
-
-	cap_d = cap_from_text(text);
-	if (cap_d == NULL) {
-	    perror("fatal error");
-	    usage();
-	}
+	    }
 #ifdef DEBUG
-	{
-	    ssize_t length;
-	    const char *result;
+	    {
+		ssize_t length;
+		const char *result;
 
-	    result = cap_to_text(cap_d, &length);
-	    fprintf(stderr, "caps set to: [%s]\n", result);
-	}
+		result = cap_to_text(cap_d, &length);
+		fprintf(stderr, "caps set to: [%s]\n", result);
+	    }
 #endif
+	}
 
 	if (--argc <= 0)
 	    usage();
@@ -104,7 +109,9 @@ int main(int argc, char **argv)
 	    usage();
 	}
 
-	cap_free(cap_d);
+	if (cap_d) {
+	    cap_free(cap_d);
+	}
     }
 
     return 0;