From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 27 Aug 2020 13:45:53 +0000 (+0200)
Subject: analyze: add 'capability' verb for dumping all known and unknown caps
X-Git-Tag: v247-rc1~335^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b2af819b22d7219f96186193b60f453b8faa49a8;p=thirdparty%2Fsystemd.git

analyze: add 'capability' verb for dumping all known and unknown caps
---

diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 4da5b4c3f81..c7f72abc455 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -70,6 +70,12 @@
       <arg choice="plain">exit-status</arg>
       <arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
     </cmdsynopsis>
+    <cmdsynopsis>
+      <command>systemd-analyze</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
+      <arg choice="plain">capability</arg>
+      <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
+    </cmdsynopsis>
     <cmdsynopsis>
       <command>systemd-analyze</command>
       <arg choice="opt" rep="repeat">OPTIONS</arg>
@@ -345,6 +351,30 @@ DATAERR 65     BSD
       </example>
     </refsect2>
 
+    <refsect2>
+      <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
+
+      <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
+      project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+      for details. If no argument is specified the full list of capabilities known to the service manager and
+      the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
+      as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
+      cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
+      table.</para>
+
+      <example>
+        <title><command>Show some example capability names</command></title>
+
+        <programlisting>$ systemd-analyze capability 0 1 {30..32}
+NAME              NUMBER
+cap_chown              0
+cap_dac_override       1
+cap_audit_control     30
+cap_setfcap           31
+cap_mac_override      32</programlisting>
+      </example>
+    </refsect2>
+
     <refsect2>
       <title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
 
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d54648a9664..2b53002f78f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -544,22 +544,28 @@
       <varlistentry>
         <term><varname>CapabilityBoundingSet=</varname></term>
 
-        <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
-        process. See <citerefentry
-        project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
-        details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
-        <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be
-        included in the bounding set, all others are removed. If the list of capabilities is prefixed with
-        <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
-        inverted. Note that this option also affects the respective capabilities in the effective, permitted and
-        inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
-        execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
-        once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if
-        the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option,
-        the bounding set is reset to the empty capability set, and all prior settings have no effect.  If set to
-        <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
-        capabilities, also undoing any previous settings. This does not affect commands prefixed with
-        <literal>+</literal>.</para>
+        <listitem><para>Controls which capabilities to include in the capability bounding set for the
+        executed process. See <citerefentry
+        project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        for details. Takes a whitespace-separated list of capability names,
+        e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
+        <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all
+        others are removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the
+        listed capabilities will be included, the effect of the assignment inverted. Note that this option
+        also affects the respective capabilities in the effective, permitted and inheritable capability
+        sets. If this option is not used, the capability bounding set is not modified on process execution,
+        hence no limits on the capabilities of the process are enforced. This option may appear more than
+        once, in which case the bounding sets are merged by <constant>OR</constant>, or by
+        <constant>AND</constant> if the lines are prefixed with <literal>~</literal> (see below). If the
+        empty string is assigned to this option, the bounding set is reset to the empty capability set, and
+        all prior settings have no effect.  If set to <literal>~</literal> (without any further argument),
+        the bounding set is reset to the full set of available capabilities, also undoing any previous
+        settings. This does not affect commands prefixed with <literal>+</literal>.</para>
+
+        <para>Use
+        <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+        <command>capability</command> command to retrieve a list of capabilities defined on the local
+        system.</para>
 
         <para>Example: if a unit has the following,
         <programlisting>CapabilityBoundingSet=CAP_A CAP_B
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
index f0359e70e07..549c4a4a9bc 100644
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -21,6 +21,8 @@
 #include "bus-map-properties.h"
 #include "bus-unit-util.h"
 #include "calendarspec.h"
+#include "cap-list.h"
+#include "capability-util.h"
 #include "conf-files.h"
 #include "copy.h"
 #include "def.h"
@@ -1592,6 +1594,51 @@ static int dump_exit_status(int argc, char *argv[], void *userdata) {
         return table_print(table, NULL);
 }
 
+static int dump_capabilities(int argc, char *argv[], void *userdata) {
+        _cleanup_(table_unrefp) Table *table = NULL;
+        unsigned last_cap;
+        int r;
+
+        table = table_new("name", "number");
+        if (!table)
+                return log_oom();
+
+        (void) table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
+
+        /* Determine the maximum of the last cap known by the kernel and by us */
+        last_cap = MAX((unsigned) CAP_LAST_CAP, cap_last_cap());
+
+        if (strv_isempty(strv_skip(argv, 1)))
+                for (unsigned c = 0; c <= last_cap; c++) {
+                        r = table_add_many(table,
+                                           TABLE_STRING, capability_to_name(c) ?: "cap_???",
+                                           TABLE_UINT, c);
+                        if (r < 0)
+                                return table_log_add_error(r);
+                }
+        else {
+                for (int i = 1; i < argc; i++) {
+                        int c;
+
+                        c = capability_from_name(argv[i]);
+                        if (c < 0 || (unsigned) c > last_cap)
+                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Capability \"%s\" not known.", argv[i]);
+
+                        r = table_add_many(table,
+                                           TABLE_STRING, capability_to_name(c) ?: "cap_???",
+                                           TABLE_UINT, (unsigned) c);
+                        if (r < 0)
+                                return table_log_add_error(r);
+                }
+
+                (void) table_set_sort(table, (size_t) 1, (size_t) -1);
+        }
+
+        (void) pager_open(arg_pager_flags);
+
+        return table_print(table, NULL);
+}
+
 #if HAVE_SECCOMP
 
 static int load_kernel_syscalls(Set **ret) {
@@ -2126,6 +2173,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "  unit-files               List files and symlinks for units\n"
                "  unit-paths               List load directories for units\n"
                "  exit-status [STATUS...]  List exit status definitions\n"
+               "  capability [CAP...]      List capability definitions\n"
                "  syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
                "  condition CONDITION...   Evaluate conditions and asserts\n"
                "  verify FILE...           Check unit files for correctness\n"
@@ -2363,6 +2411,7 @@ static int run(int argc, char *argv[]) {
                 { "unit-paths",        1,        1,        0,            dump_unit_paths        },
                 { "exit-status",       VERB_ANY, VERB_ANY, 0,            dump_exit_status       },
                 { "syscall-filter",    VERB_ANY, VERB_ANY, 0,            dump_syscall_filters   },
+                { "capability",        VERB_ANY, VERB_ANY, 0,            dump_capabilities      },
                 { "condition",         2,        VERB_ANY, 0,            do_condition           },
                 { "verify",            2,        VERB_ANY, 0,            do_verify              },
                 { "calendar",          2,        VERB_ANY, 0,            test_calendar          },