From 8d410d436b03b1d139da6dfdb00a53dafe9db119 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 1 Sep 2025 07:10:08 +0000 Subject: [PATCH] eclass/fcaps: Sync with Gentoo It's from Gentoo commit 2e32af007cf8a21bd77002ca45c9bccc711a2bd0. Signed-off-by: Flatcar Buildbot --- .../portage-stable/eclass/fcaps.eclass | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass b/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass index 5cb781a7a7..81c1ca6236 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # @ECLASS: fcaps.eclass @@ -84,13 +84,16 @@ esac # appropriate path var ($D/$ROOT/etc...) will be prefixed based on the current # ebuild phase. # -# The caps mode (default 711) is used to set the permission on the file if -# capabilities were properly set on the file. +# The caps mode is used to set the permission on the file if capabilities +# were properly set on the file. No change is applied by default. # # If the system is unable to set capabilities, it will use the specified user, -# group, and mode (presumably to make the binary set*id). The defaults there -# are 0:0 and 4711. Otherwise, the ownership and permissions will be -# unchanged. +# group, and mode. The user and group default to 0. If mode is unspecified, no +# change is applied. +# +# For example, "-m u+s" may be used to enable suid as a fallback when file caps +# are unavailable. This should be used with care, typically when the +# application is written to handle dropping privileges itself. fcaps() { debug-print-function ${FUNCNAME} "$@" @@ -102,14 +105,9 @@ fcaps() { # Process the user options first. local owner='0' local group='0' - local mode=u+s + local mode= local caps_mode= - if [[ -n ${FCAPS_DENY_WORLD_READ} ]]; then - mode=u+s,go-r - caps_mode=go-r - fi - while [[ $# -gt 0 ]] ; do case $1 in -o) owner=$2; shift;; @@ -143,12 +141,16 @@ fcaps() { for file ; do [[ ${file} != /* ]] && file="${root}/${file}" + # Remove the read bits if requested. + if [[ -n ${FCAPS_DENY_WORLD_READ} ]]; then + chmod go-r "${file}" || die + fi + if use filecaps ; then # Try to set capabilities. Ignore errors when the # fs doesn't support it, but abort on all others. debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'" - # Remove the read bits if requested. if [[ -n ${caps_mode} ]]; then chmod ${caps_mode} "${file}" || die fi @@ -182,11 +184,11 @@ fcaps() { fi # If we're still here, setcaps failed. - if [[ -n ${owner} || -n ${group} ]]; then - debug-print "${FUNCNAME}: setting owner on '${file}'" - chown "${owner}:${group}" "${file}" || die - fi if [[ -n ${mode} ]]; then + if [[ -n ${owner} || -n ${group} ]]; then + debug-print "${FUNCNAME}: setting owner on '${file}'" + chown "${owner}:${group}" "${file}" || die + fi debug-print "${FUNCNAME}: setting mode on '${file}'" chmod ${mode} "${file}" || die fi