Makefile tweaks mostly

add rule to build HTML
add LIBATTR=no makefile support for not including filesystem support
comment cleanup for cap_file.c.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

Author: AndrewGMorgan

Make.Rules

@@ -66,6 +66,7 @@ CFLAGS += -Dlinux $(WARNINGS) $(DEBUG) $(IPATH)
 PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
 INDENT := $(shell if [ -z "$(which ident 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
 DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
+LIBATTR := yes
 
 # Global cleanup stuff
 

README

@@ -1,4 +1,3 @@
-
 This is a library for getting and setting POSIX.1e (formerly POSIX 6)
 draft 15 capabilities.
 
@@ -8,7 +7,7 @@ This library would not have been possible without the help of
 
 More information on capabilities in the Linux kernel can be found at
 
-	http://linux.kernel.org/pub/linux/libs/security/linux-privs/
+	http://sites.google.com/site/fullycapable/
 
 # INSTALLATION
 
@@ -18,7 +17,7 @@ More information on capabilities in the Linux kernel can be found at
 
 	Linux-Caps % make install
 
-		installs the library libcap.XX.Y in /lib/
+		installs the library libcap.XX.Y in /lib[64]/
 		the binaries in /sbin/
 		the <sys/capability.h> file in /usr/include
 

doc/Makefile

@@ -18,6 +18,15 @@ MANS = $(MAN3S) $(MAN8S)
 
 all: $(MANS)
 
+.PHONY: html
+html:
+	mkdir -p html
+	for man in $(MANS) ; \
+	do \
+		egrep '^\.so man' $$man > /dev/null || \
+		groff -man -Thtml $$man > html/$$man.html ; \
+	done
+
 install:
 	mkdir -p -m 755 $(MANDIR)/man3 $(MANDIR)/man8
 	for man in \
@@ -33,4 +42,6 @@ install:
 
 clean:
 	$(LOCALCLEAN)
+	rm -rf html
+
 

libcap/Makefile

@@ -10,14 +10,20 @@ LIBNAME=$(LIBTITLE).so
 STALIBNAME=$(LIBTITLE).a
 #
 
-FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file
+FILES=cap_alloc cap_proc cap_extint cap_flag cap_text
+
+# make including file support something you can override (no libattr
+# no support).
+ifeq ($(LIBATTR),yes)
+FILES += cap_file
+LDFLAGS += -lattr
+endif
 
 INCLS=libcap.h cap_names.h $(INCS)
 OBJS=$(addsuffix .o, $(FILES))
 MAJLIBNAME=$(LIBNAME).$(VERSION)
 MINLIBNAME=$(MAJLIBNAME).$(MINOR)
 GPERF_OUTPUT = _caps_output.gperf
-LDFLAGS += -lattr
 
 all: $(MINLIBNAME) $(STALIBNAME)
 

libcap/cap_file.c

@@ -199,7 +199,7 @@ cap_t cap_get_fd(int fildes)
 }
 
 /*
- * Set the capabilities on a named file.
+ * Get the capabilities from a named file.
  */
 
 cap_t cap_get_file(const char *filename)

progs/Makefile

@@ -4,7 +4,11 @@ include $(topdir)/Make.Rules
 #
 # Programs: all of the examples that we will compile
 #
-PROGS=getpcaps getcap setcap capsh
+PROGS=getpcaps capsh
+ifeq ($(LIBATTR),yes)
+PROGS += getcap setcap
+endif
+
 BUILD=$(PROGS)
 
 ifneq ($(DYNAMIC),yes)
@@ -28,4 +32,4 @@ install: all
 
 clean:
 	$(LOCALCLEAN)
-	rm -f *.o $(BUILD) tcapsh ping
+	rm -f *.o $(BUILD) tcapsh ping hack.sh

progs/quicktest.sh

@@ -104,3 +104,23 @@ pass_capsh --secbits=47 --inh=cap_net_raw --drop=cap_net_raw \
     --uid=500 --print -- -c "./ping -c1 localhost"
 
 rm -f ./ping
+
+# test that we do not support capabilities on setuid shell-scripts
+cat > hack.sh <<EOF
+#!/bin/bash
+mypid=\$\$
+caps=\$(./getpcaps \$mypid 2>&1 | cut -d: -f2)
+if [ "\$caps" != " =" ]; then
+  echo "Shell script got [\$caps] - you should upgrade your kernel"
+  exit 1
+fi
+exit 0
+EOF
+chmod +xs hack.sh
+./hack.sh
+status=$?
+rm -f ./hack.sh
+if [ $status -ne 0 ]; then
+    echo "shell scripts can have capabilities (bug)"
+    exit 1
+fi