eclass/fcaps: Sync with Gentoo

It's from Gentoo commit f8642f4a3ef06b7b82985c9f770e5cda862adb54.
2025-08-10 22:46:58 +02:00 · 2024-11-25 07:06:52 +00:00 · 2024-11-25 07:06:52 +00:00 · fd96c76c54
commit fd96c76c54
parent f8d20357ac
1 changed files with 26 additions and 9 deletions
--- a/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass
+++ b/sdk_container/src/third_party/portage-stable/eclass/fcaps.eclass
@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 # @ECLASS: fcaps.eclass
@ -66,6 +66,12 @@ esac
 #
 # Note: If you override pkg_postinst, you must call fcaps_pkg_postinst yourself.

+# @ECLASS_VARIABLE: FCAPS_DENY_WORLD_READ
+# @USER_VARIABLE
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# When set, deny read access on files updated by the fcaps function.
+
 # @FUNCTION: fcaps
 # @USAGE: [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] <capabilities> <file[s]>
 # @DESCRIPTION:
@ -96,8 +102,13 @@ fcaps() {
 	# Process the user options first.
 	local owner='0'
 	local group='0'
-	local mode='4711'
-	local caps_mode='711'
+	local mode=u+s
+	local caps_mode=
+
+	if [[ -n ${FCAPS_DENY_WORLD_READ} ]]; then
+		mode=u+s,go-r
+		caps_mode=go-r
+	fi

 	while [[ $# -gt 0 ]] ; do
 		case $1 in
@ -137,9 +148,10 @@ fcaps() {
 			# fs doesn't support it, but abort on all others.
 			debug-print "${FUNCNAME}: setting caps '${caps}' on '${file}'"

-			# If everything goes well, we don't want the file to be readable
-			# by people.
-			chmod ${caps_mode} "${file}" || die
+			# Remove the read bits if requested.
+			if [[ -n ${caps_mode} ]]; then
+				chmod ${caps_mode} "${file}" || die
+			fi

 			if ! out=$(LC_ALL=C setcap "${caps}" "${file}" 2>&1) ; then
 				case ${out} in
@ -170,9 +182,14 @@ fcaps() {
 		fi

 		# If we're still here, setcaps failed.
-		debug-print "${FUNCNAME}: setting owner/mode on '${file}'"
-		chown "${owner}:${group}" "${file}" || die
-		chmod ${mode} "${file}" || die
+		if [[ -n ${owner} || -n ${group} ]]; then
+			debug-print "${FUNCNAME}: setting owner on '${file}'"
+			chown "${owner}:${group}" "${file}" || die
+		fi
+		if [[ -n ${mode} ]]; then
+			debug-print "${FUNCNAME}: setting mode on '${file}'"
+			chmod ${mode} "${file}" || die
+		fi
 	done
 }