Index: NEWS =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/NEWS,v retrieving revision 1.1.2.1.2.10 retrieving revision 1.1.2.1.2.11 diff -u -p -I$Id: -r1.1.2.1.2.10 -r1.1.2.1.2.11 --- NEWS 11 Feb 2004 21:06:17 -0000 1.1.2.1.2.10 +++ NEWS 4 Mar 2004 03:35:56 -0000 1.1.2.1.2.11 @@ -1,3 +1,25 @@ +Version 0.30 +============ + + - BUGFIX: vlimit: fixed communication with kernel so that it + should work now. Output of this tools has been enhanced too. + + - BUGFIX: fixed off-by-one error when setting ipv4root; now the + full 16 IPs can be specified instead of 15 formerly + + - added better detection for the syscall number; this can solve + problems on non-ix86 architectures where __NR_vserver is not 273 + + - BUGFIX/ENHANCEMENTS: the CLI interface of 'reducecap' was fixed + significantly: now it is possible to remove capabilities like + CHOWN'. Formerly, only privileged caps like SYS_* or *_ADMIN + could be removed because of a coding error. Changes in the + related code are making it possible that both '--CAP_XXX' and + '--XXX' syntax will be recognized (based on patches and reports + by Bodo Eggert). + + + Version 0.29 ============ Index: configure.ac =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/configure.ac,v retrieving revision 1.1.2.1.2.31 diff -u -p -I$Id: -r1.1.2.1.2.31 configure.ac --- configure.ac 11 Feb 2004 21:06:17 -0000 1.1.2.1.2.31 +++ configure.ac 4 Mar 2004 03:42:31 -0000 @@ -25,7 +25,7 @@ dnl AC_PREREQ(2.57) -AC_INIT(util-vserver, 0.29, enrico.scholz@informatik.tu-chemnitz.de) +AC_INIT(util-vserver, 0.29.3, enrico.scholz@informatik.tu-chemnitz.de) AC_CONFIG_SRCDIR([src/capchroot.c]) AC_CONFIG_HEADER([config.h]) @@ -101,6 +101,7 @@ done IFS=$old_IFS AC_MSG_RESULT([$enable_apis]) +ENSC_SYSCALLNR(vserver,273) ENSC_SYSCALL ENSC_CHECK_EXT2FS_HEADER AC_CHECK_FUNCS([vserver]) Index: lib/Makefile-files =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/lib/Makefile-files,v retrieving revision 1.1.4.5 retrieving revision 1.1.4.6 diff -u -p -I$Id: -r1.1.4.5 -r1.1.4.6 --- lib/Makefile-files 28 Nov 2003 23:25:49 -0000 1.1.4.5 +++ lib/Makefile-files 4 Mar 2004 03:23:09 -0000 1.1.4.6 @@ -41,4 +41,4 @@ lib_XHDRS = lib/s lib_lib_LIBS = lib/libvserver.a lib_libvserver_a_SOURCES = $(lib_SRCS) -lib_libvserver_a_CPPFLAGS = -I$(kernelincludedir) -D_GNU_SOURCE +lib_libvserver_a_CPPFLAGS = -D_GNU_SOURCE Index: lib/syscall-compat.hc =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/lib/syscall-compat.hc,v retrieving revision 1.1.4.7 retrieving revision 1.1.4.8 diff -u -p -I$Id: -r1.1.4.7 -r1.1.4.8 --- lib/syscall-compat.hc 30 Dec 2003 13:45:57 -0000 1.1.4.7 +++ lib/syscall-compat.hc 19 Feb 2004 22:56:53 -0000 1.1.4.8 @@ -44,7 +44,7 @@ vc_set_ipv4root_compat(uint32_t bcast, struct vcmd_set_ipv4root_v3 msg; size_t i; - if (nb>=NB_IPV4ROOT) { + if (nb>NB_IPV4ROOT) { errno = -EINVAL; return -1; } Index: lib/syscall_rlimit-v11.hc =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/lib/syscall_rlimit-v11.hc,v retrieving revision 1.1.2.6 retrieving revision 1.1.2.7 diff -u -p -I$Id: -r1.1.2.6 -r1.1.2.7 --- lib/syscall_rlimit-v11.hc 30 Dec 2003 13:45:57 -0000 1.1.2.6 +++ lib/syscall_rlimit-v11.hc 20 Feb 2004 19:43:29 -0000 1.1.2.7 @@ -59,8 +59,8 @@ vc_set_rlimit_v11(xid_t ctx, int resourc static inline ALWAYSINLINE int vc_get_rlimit_mask_v11(xid_t ctx, int tmp, struct vc_rlimit_mask *lim) { - struct vcmd_ctx_rlimit_v0 vc_lim; - int rc; + struct vcmd_ctx_rlimit_mask_v0 vc_lim; + int rc; (void)tmp; Index: lib/vserver-internal.h =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/lib/vserver-internal.h,v retrieving revision 1.1.4.13 retrieving revision 1.1.4.14 diff -u -p -I$Id: -r1.1.4.13 -r1.1.4.14 --- lib/vserver-internal.h 5 Feb 2004 03:52:45 -0000 1.1.4.13 +++ lib/vserver-internal.h 14 Feb 2004 00:25:34 -0000 1.1.4.14 @@ -26,8 +26,8 @@ #include #include -#ifndef __NR_vserver -# define __NR_vserver 273 +#if !defined(__NR_vserver) && defined(ENSC_SYSCALL__NR_vserver) +# define __NR_vserver ENSC_SYSCALL__NR_vserver #endif #define VC_PREFIX 0) Index: m4/ensc_cflags.m4 =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/m4/ensc_cflags.m4,v retrieving revision 1.1.4.1 retrieving revision 1.1.4.2 diff -u -p -I$Id: -r1.1.4.1 -r1.1.4.2 --- m4/ensc_cflags.m4 26 Jan 2004 18:21:28 -0000 1.1.4.1 +++ m4/ensc_cflags.m4 4 Mar 2004 03:12:34 -0000 1.1.4.2 @@ -20,14 +20,14 @@ AC_DEFUN([__ENSC_CHECK_WARNFLAGS], warn_flags="-Werror -W" AC_MSG_CHECKING([whether the $1-compiler accepts ${warn_flags}]) AC_LANG_PUSH($1) - old_CFLAGS="${$3}" + __ensc_check_warnflags_old_CFLAGS="${$3}" $3="$warn_flags" AC_TRY_COMPILE([inline static void f(){}], [], [ensc_sys_compilerwarnflags_$2=${warn_flags}], [ensc_sys_compilerwarnflags_$2=]) AC_LANG_POP($1) - $3="$old_CFLAGS" + $3="$__ensc_check_warnflags_old_CFLAGS" if test x"${ensc_sys_compilerwarnflags_$2}" = x; then AC_MSG_RESULT([no]) @@ -82,7 +82,8 @@ AC_DEFUN([ENSC_CHECK_CXX_FLAG], # ENSC_CHECK_CC_FLAG(-flag1 -flag2 -flag3 ...) # ------------------------------------------------------------------------- -AC_DEFUN([ENSC_CHECK_CC_FLAG],[ +AC_DEFUN([ENSC_CHECK_CC_FLAG], +[ AC_REQUIRE([__ENSC_CHECK_WARNFLAGS_C]) echo 'void f(){}' > conftest.c Index: m4/ensc_e2fscheck.m4 =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/m4/ensc_e2fscheck.m4,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -p -I$Id: -r1.1.2.1 -r1.1.2.2 --- m4/ensc_e2fscheck.m4 26 Jan 2004 18:20:51 -0000 1.1.2.1 +++ m4/ensc_e2fscheck.m4 19 Feb 2004 22:56:27 -0000 1.1.2.2 @@ -46,9 +46,11 @@ the following reasons: * you have neither the e2fsprogs nor the kernel headers installed * kernel headers are broken (e.g. these of linux 2.6 are known to be) - and you do not have e2fsprogs headers installed; please try to - install e2fsprogs-devel (for Red Hat) or e2fsprogs-dev (for Debian) - in this case + and you do not have e2fsprogs headers installed; please try to install + - e2fsprogs-devel (for Red Hat), or + - libext2fs2-devel (for Mandrake), or + - e2fslibs-dev (for Debian) + in this case. * kernel headers are broken and your e2fsprogs headers are too old; until version 1.27 (inclusive), they are using reserved C++ keywords Index: m4/ensc_kerneldir.m4 =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/m4/ensc_kerneldir.m4,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -u -p -I$Id: -r1.1.2.2 -r1.1.2.3 --- m4/ensc_kerneldir.m4 26 Jan 2004 18:21:28 -0000 1.1.2.2 +++ m4/ensc_kerneldir.m4 4 Mar 2004 03:12:34 -0000 1.1.2.3 @@ -50,6 +50,8 @@ AC_DEFUN([ENSC_KERNEL_HEADERS], ensc_cv_path_kernelheaders=$ensc_cv_path_kerneldir/include ]) - $1=$ensc_cv_path_kernelheaders - AC_SUBST($1) + if test x"$1" != x; then + $1=$ensc_cv_path_kernelheaders + AC_SUBST($1) + fi ]) Index: m4/ensc_syscall.m4 =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/m4/ensc_syscall.m4,v retrieving revision 1.2.2.1 retrieving revision 1.2.2.2 diff -u -p -I$Id: -r1.2.2.1 -r1.2.2.2 --- m4/ensc_syscall.m4 5 Feb 2004 03:52:45 -0000 1.2.2.1 +++ m4/ensc_syscall.m4 4 Mar 2004 03:12:34 -0000 1.2.2.2 @@ -32,8 +32,6 @@ AC_DEFUN([ENSC_SYSCALL], xauto) AC_CACHE_CHECK([which syscall(2) invocation works], [ensc_cv_test_syscall], [ - old_CPPFLAGS=$CPPFLAGS - CPPFLAGS="-I$ensc_cv_path_kernelheaders" AC_LANG_PUSH(C) AC_COMPILE_IFELSE([ #include @@ -65,7 +63,6 @@ int main() { [ensc_cv_test_syscall=traditional]) AC_LANG_POP - CPPFLAGS=$old_CPPFLAGS ]) with_syscall=$ensc_cv_test_syscall ;; Index: m4/ensc_syscallnr.m4 =================================================================== RCS file: m4/ensc_syscallnr.m4 diff -N m4/ensc_syscallnr.m4 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ m4/ensc_syscallnr.m4 4 Mar 2004 03:22:43 -0000 1.1.2.3 @@ -0,0 +1,62 @@ +dnl $Id: ensc_syscallnr.m4,v 1.1.2.3 2004/03/04 03:22:43 ensc Exp $ + +dnl Copyright (C) 2004 Enrico Scholz +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; version 2 of the License. +dnl +dnl This program is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +dnl GNU General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +dnl Usage: ENSC_SYSCALLNR(,) + +AC_DEFUN([ENSC_SYSCALLNR], +[ + AC_REQUIRE([AC_PROG_CPP]) + AC_REQUIRE([AC_PROG_EGREP]) + AC_REQUIRE([ENSC_KERNEL_HEADERS]) + + AC_CACHE_CHECK([for number of syscall '$1'], [ensc_cv_value_syscall_$1], + [ + AC_LANG_PUSH(C) + AC_LANG_CONFTEST([ +#include +#ifdef __NR_$1 +ensc_syscall_tmp_nr=__NR_$1; +ensc_syscall_tmp_src=ENSC_MARK +#endif +]) + ensc_syscall_tmp_nr= + ensc_syscall_tmp_src= + test "$ensc_syscall_tmp_nr" || \ + eval $($CPP $CPPFLAGS -D ENSC_MARK='glibc' conftest.c | $EGREP '^ensc_syscall_tmp_(nr=[[1-9]][[0-9]]*;|src=.*)$') + test "$ensc_syscall_tmp_nr" || \ + eval $($CPP $CPPFLAGS -D ENSC_MARK='kernel' -I $kernelincludedir conftest.c | $EGREP '^ensc_syscall_tmp_(nr=[[1-9]][[0-9]]*;|src=.*)$') + test "$ensc_syscall_tmp_nr" || { + ensc_syscall_tmp_nr=$2 + ensc_syscall_tmp_src=default + } + + if test x"$ensc_syscall_tmp_nr" = x; then + AC_MSG_ERROR( +[Can not determine value of __NR_$1; please verify your glibc/kernelheaders, and/or set CPPFLAGS='-D=__NR_$1=' environment when calling configure.]) + fi + AC_LANG_POP + + ensc_cv_value_syscall_$1="$ensc_syscall_tmp_nr/$ensc_syscall_tmp_src" + ]) + + ensc_syscall_tmp_nr=${ensc_cv_value_syscall_$1%/*} + ensc_syscall_tmp_src=${ensc_cv_value_syscall_$1#*/} + + if test x"$ensc_syscall_tmp_src" != x'glibc'; then + AC_DEFINE_UNQUOTED(ENSC_SYSCALL__NR_$1, $ensc_syscall_tmp_nr, [The number of the $1 syscall]) + fi +]) Index: m4/validate.am =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/m4/validate.am,v retrieving revision 1.1.4.1 retrieving revision 1.1.4.2 diff -u -p -I$Id: -r1.1.4.1 -r1.1.4.2 --- m4/validate.am 3 Nov 2003 23:10:50 -0000 1.1.4.1 +++ m4/validate.am 4 Mar 2004 03:12:34 -0000 1.1.4.2 @@ -25,5 +25,6 @@ distclean-uptodate: .%-up-to-date: @rm -f .*-up-to-date + @$(MAKE) -s clean @touch -t 197001020000 '$@' - @$(MAKE) -s clean $(BUILT_SOURCES) + @$(MAKE) -s $(BUILT_SOURCES) Index: src/reducecap.c =================================================================== RCS file: /cvsroot/util-vserver/util-vserver/src/reducecap.c,v retrieving revision 1.1.4.2 retrieving revision 1.1.4.3 diff -u -p -I$Id: -r1.1.4.2 -r1.1.4.3 --- src/reducecap.c 30 Oct 2003 00:36:39 -0000 1.1.4.2 +++ src/reducecap.c 4 Mar 2004 00:33:12 -0000 1.1.4.3 @@ -161,49 +161,55 @@ int main (int argc, char *argv[]) // The following capabilities are normally available // to vservers administrator, but are place for // completeness - {"CAP_CHOWN",CAP_CHOWN}, - {"CAP_DAC_OVERRIDE",CAP_DAC_OVERRIDE}, - {"CAP_DAC_READ_SEARCH",CAP_DAC_READ_SEARCH}, - {"CAP_FOWNER",CAP_FOWNER}, - {"CAP_FSETID",CAP_FSETID}, - {"CAP_KILL",CAP_KILL}, - {"CAP_SETGID",CAP_SETGID}, - {"CAP_SETUID",CAP_SETUID}, - {"CAP_SETPCAP",CAP_SETPCAP}, - {"CAP_SYS_TTY_CONFIG",CAP_SYS_TTY_CONFIG}, - {"CAP_LEASE",CAP_LEASE}, - {"CAP_SYS_CHROOT",CAP_SYS_CHROOT}, + {"CHOWN",CAP_CHOWN}, + {"DAC_OVERRIDE",CAP_DAC_OVERRIDE}, + {"DAC_READ_SEARCH",CAP_DAC_READ_SEARCH}, + {"FOWNER",CAP_FOWNER}, + {"FSETID",CAP_FSETID}, + {"KILL",CAP_KILL}, + {"SETGID",CAP_SETGID}, + {"SETUID",CAP_SETUID}, + {"SETPCAP",CAP_SETPCAP}, + {"SYS_TTY_CONFIG",CAP_SYS_TTY_CONFIG}, + {"LEASE",CAP_LEASE}, + {"SYS_CHROOT",CAP_SYS_CHROOT}, // Those capabilities are not normally available // to vservers because they are not needed and // may represent a security risk - {"--LINUX_IMMUTABLE",CAP_LINUX_IMMUTABLE}, - {"--NET_BIND_SERVICE",CAP_NET_BIND_SERVICE}, - {"--NET_BROADCAST",CAP_NET_BROADCAST}, - {"--NET_ADMIN", CAP_NET_ADMIN}, - {"--NET_RAW", CAP_NET_RAW}, - {"--IPC_LOCK", CAP_IPC_LOCK}, - {"--IPC_OWNER", CAP_IPC_OWNER}, - {"--SYS_MODULE",CAP_SYS_MODULE}, - {"--SYS_RAWIO", CAP_SYS_RAWIO}, - {"--SYS_PACCT", CAP_SYS_PACCT}, - {"--SYS_ADMIN", CAP_SYS_ADMIN}, - {"--SYS_BOOT", CAP_SYS_BOOT}, - {"--SYS_NICE", CAP_SYS_NICE}, - {"--SYS_RESOURCE",CAP_SYS_RESOURCE}, - {"--SYS_TIME", CAP_SYS_TIME}, - {"--MKNOD", CAP_MKNOD}, - {"--QUOTACTL", CAP_QUOTACTL}, + {"LINUX_IMMUTABLE",CAP_LINUX_IMMUTABLE}, + {"NET_BIND_SERVICE",CAP_NET_BIND_SERVICE}, + {"NET_BROADCAST",CAP_NET_BROADCAST}, + {"NET_ADMIN", CAP_NET_ADMIN}, + {"NET_RAW", CAP_NET_RAW}, + {"IPC_LOCK", CAP_IPC_LOCK}, + {"IPC_OWNER", CAP_IPC_OWNER}, + {"SYS_MODULE",CAP_SYS_MODULE}, + {"SYS_RAWIO", CAP_SYS_RAWIO}, + {"SYS_PACCT", CAP_SYS_PACCT}, + {"SYS_ADMIN", CAP_SYS_ADMIN}, + {"SYS_BOOT", CAP_SYS_BOOT}, + {"SYS_NICE", CAP_SYS_NICE}, + {"SYS_RESOURCE",CAP_SYS_RESOURCE}, + {"SYS_TIME", CAP_SYS_TIME}, + {"MKNOD", CAP_MKNOD}, + {"QUOTACTL", CAP_QUOTACTL}, {NULL,0} }; int j; + arg += 2; + if (*arg=='\0') { + ++i; + break; + } + if (strncmp(arg, "CAP_", 4)==0) arg += 4; for (j=0; tbcap[j].option != NULL; j++){ if (strcasecmp(tbcap[j].option,arg)==0){ remove |= (1<] [-a|--all] [-MSH -- ]*\n" + " -c [-a|--all] [-MSH -- ]*\n" "Please report bugs to " PACKAGE_BUGREPORT "\n"); exit(res); } @@ -123,9 +123,9 @@ showAll(int ctx) struct vc_rlimit_mask mask; size_t i; - if (vc_get_rlimit_mask(-2, &mask)==-1) { + if (vc_get_rlimit_mask(ctx, &mask)==-1) { perror("vc_get_rlimit_mask()"); - //exit(1); + exit(1); } for (i=0; i<32; ++i) { @@ -133,6 +133,7 @@ showAll(int ctx) struct vc_rlimit limit; char buf[100], *ptr=buf; + if (((mask.min|mask.soft|mask.hard) & bitmask)==0) continue; if (vc_get_rlimit(ctx, i, &limit)==-1) { perror("vc_get_rlimit()"); //continue; @@ -157,7 +158,7 @@ static void size_t i; for (i=0; i<32; ++i) { if ((mask & (1<