missing: rename securebits.h to missing_securebits.h

diff --git a/src/basic/meson.build b/src/basic/meson.build
index 96d6b6eb28bedbd4602c39907c0f17c2c8318100..596c937d542ed1f8c8def44cb479b0363e5e4e94 100644 (file)
--- a/src/basic/meson.build
+++ b/src/basic/meson.build
@@ -101,6 +101,7 @@ basic_sources = files('''
         missing_if_tunnel.h
         missing_keyctl.h
         missing_network.h
+        missing_securebits.h
         missing_syscall.h
         missing_vxcan.h
         mkdir-label.c
@@ -134,7 +135,6 @@ basic_sources = files('''
         replace-var.h
         rm-rf.c
         rm-rf.h
-        securebits.h
         selinux-util.c
         selinux-util.h
         set.h

diff --git a/src/basic/missing_securebits.h b/src/basic/missing_securebits.h
new file mode 100644 (file)
index 0000000..40d6ec9
--- /dev/null
+++ b/src/basic/missing_securebits.h
@@ -0,0 +1,17 @@
+#pragma once
+
+#include <linux/securebits.h>
+
+/* 746bf6d64275be0c65b0631d8a72b16f1454cfa1 (4.3) */
+#ifndef SECURE_NO_CAP_AMBIENT_RAISE
+#define SECURE_NO_CAP_AMBIENT_RAISE        6
+#define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7  /* make bit-6 immutable */
+#define SECBIT_NO_CAP_AMBIENT_RAISE        (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
+#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED))
+
+#undef  SECURE_ALL_BITS
+#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) |                 \
+                         issecure_mask(SECURE_NO_SETUID_FIXUP) |        \
+                         issecure_mask(SECURE_KEEP_CAPS) |              \
+                         issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
+#endif

diff --git a/src/basic/securebits.h b/src/basic/securebits.h
deleted file mode 100644 (file)
index e3b7538..0000000
--- a/src/basic/securebits.h
+++ /dev/null
@@ -1,42 +0,0 @@
-#pragma once
-
-/* This is minimal version of Linux' linux/securebits.h header file,
- * which is licensed GPL2 */
-
-#define SECUREBITS_DEFAULT 0x00000000
-
-/* When set UID 0 has no special privileges. When unset, we support
-   inheritance of root-permissions and suid-root executable under
-   compatibility mode. We raise the effective and inheritable bitmasks
-   *of the executable file* if the effective uid of the new process is
-   0. If the real uid is 0, we raise the effective (legacy) bit of the
-   executable file. */
-#define SECURE_NOROOT                  0
-#define SECURE_NOROOT_LOCKED           1  /* make bit-0 immutable */
-
-/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
-   When unset, to provide compatibility with old programs relying on
-   set*uid to gain/lose privilege, transitions to/from uid 0 cause
-   capabilities to be gained/lost. */
-#define SECURE_NO_SETUID_FIXUP         2
-#define SECURE_NO_SETUID_FIXUP_LOCKED  3  /* make bit-2 immutable */
-
-/* When set, a process can retain its capabilities even after
-   transitioning to a non-root user (the set-uid fixup suppressed by
-   bit 2). Bit-4 is cleared when a process calls exec(); setting both
-   bit 4 and 5 will create a barrier through exec that no exec()'d
-   child can use this feature again. */
-#define SECURE_KEEP_CAPS               4
-#define SECURE_KEEP_CAPS_LOCKED                5  /* make bit-4 immutable */
-
-/* Each securesetting is implemented using two bits. One bit specifies
-   whether the setting is on or off. The other bit specify whether the
-   setting is locked or not. A setting which is locked cannot be
-   changed from user-level. */
-#define issecure_mask(X)       (1 << (X))
-#define issecure(X)            (issecure_mask(X) & current_cred_xxx(securebits))
-
-#define SECURE_ALL_BITS                (issecure_mask(SECURE_NOROOT) | \
-                                 issecure_mask(SECURE_NO_SETUID_FIXUP) | \
-                                 issecure_mask(SECURE_KEEP_CAPS))
-#define SECURE_ALL_LOCKS       (SECURE_ALL_BITS << 1)

diff --git a/src/core/execute.c b/src/core/execute.c
index 6136d700a3666c383e8f0a2d6e9684a603f27c44..e966f9cfe85ee48717f3e02ea62b98d4e0aa1dc2 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -76,7 +76,6 @@
 #if HAVE_SECCOMP
 #include "seccomp-util.h"
 #endif
-#include "securebits.h"
 #include "securebits-util.h"
 #include "selinux-util.h"
 #include "signal-util.h"

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 041b62231485bad287b48d75a47b31e21a8a0762..36e874de2948cea6e7c5b342c2a75dadd91d690d 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -46,7 +46,6 @@
 #if HAVE_SECCOMP
 #include "seccomp-util.h"
 #endif
-#include "securebits.h"
 #include "securebits-util.h"
 #include "signal-util.h"
 #include "stat-util.h"

diff --git a/src/shared/securebits-util.c b/src/shared/securebits-util.c
index ad091f6d9530ad20fb051b4bf6e78d10a91d6f30..6d31dfeff0a28e55522d281d6cb3c53b00f65f28 100644 (file)
--- a/src/shared/securebits-util.c
+++ b/src/shared/securebits-util.c
@@ -5,7 +5,6 @@
 
 #include "alloc-util.h"
 #include "extract-word.h"
-#include "securebits.h"
 #include "securebits-util.h"
 #include "string-util.h"
 

diff --git a/src/shared/securebits-util.h b/src/shared/securebits-util.h
index 3cb3cb3d0857b23d2d0dbc4d72e612bdb20756a2..b5ec6ee0e683e54af59fd777800bd8acb3cd38c3 100644 (file)
--- a/src/shared/securebits-util.h
+++ b/src/shared/securebits-util.h
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1+ */
 #pragma once
 
-#include "securebits.h"
+#include "missing_securebits.h"
 
 int secure_bits_to_string_alloc(int i, char **s);
 int secure_bits_from_string(const char *s);