Add cap{get,set} syscalls (#514)

Signed-off-by: Alex Saveau <saveau.alexandre@gmail.com>

Author: SUPERCILEX

src/backend/libc/thread/syscalls.rs

@@ -3,7 +3,7 @@
 use super::super::c;
 use super::super::conv::ret;
 #[cfg(any(target_os = "android", target_os = "linux"))]
-use super::super::conv::{borrowed_fd, ret_c_int};
+use super::super::conv::{borrowed_fd, ret_c_int, syscall_ret};
 use super::super::time::types::LibcTimespec;
 #[cfg(any(target_os = "android", target_os = "linux"))]
 use crate::fd::BorrowedFd;
@@ -299,3 +299,23 @@ pub(crate) fn setns(fd: BorrowedFd, nstype: c::c_int) -> io::Result<c::c_int> {
 pub(crate) fn unshare(flags: crate::thread::UnshareFlags) -> io::Result<()> {
     unsafe { ret(c::unshare(flags.bits() as i32)) }
 }
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+#[inline]
+pub(crate) fn capget(
+    header: &mut linux_raw_sys::general::__user_cap_header_struct,
+    data: &mut [MaybeUninit<linux_raw_sys::general::__user_cap_data_struct>],
+) -> io::Result<()> {
+    let header: *mut _ = header;
+    unsafe { syscall_ret(c::syscall(c::SYS_capget, header, data.as_mut_ptr())) }
+}
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+#[inline]
+pub(crate) fn capset(
+    header: &mut linux_raw_sys::general::__user_cap_header_struct,
+    data: &[linux_raw_sys::general::__user_cap_data_struct],
+) -> io::Result<()> {
+    let header: *mut _ = header;
+    unsafe { syscall_ret(c::syscall(c::SYS_capset, header, data.as_ptr())) }
+}

src/backend/linux_raw/thread/syscalls.rs

@@ -294,3 +294,23 @@ pub(crate) fn setns(fd: BorrowedFd, nstype: c::c_int) -> io::Result<c::c_int> {
 pub(crate) fn unshare(flags: crate::thread::UnshareFlags) -> io::Result<()> {
     unsafe { ret(syscall_readonly!(__NR_unshare, c_uint(flags.bits()))) }
 }
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+#[inline]
+pub(crate) fn capget(
+    header: &mut linux_raw_sys::general::__user_cap_header_struct,
+    data: &mut [MaybeUninit<linux_raw_sys::general::__user_cap_data_struct>],
+) -> io::Result<()> {
+    let header: *mut _ = header;
+    unsafe { ret(syscall!(__NR_capget, header, data.as_mut_ptr())) }
+}
+
+#[cfg(any(target_os = "android", target_os = "linux"))]
+#[inline]
+pub(crate) fn capset(
+    header: &mut linux_raw_sys::general::__user_cap_header_struct,
+    data: &[linux_raw_sys::general::__user_cap_data_struct],
+) -> io::Result<()> {
+    let header: *mut _ = header;
+    unsafe { ret(syscall!(__NR_capset, header, data.as_ptr())) }
+}

src/thread/libcap.rs

@@ -0,0 +1,185 @@
+use bitflags::bitflags;
+use core::mem::MaybeUninit;
+
+use crate::process::Pid;
+use crate::{backend, io};
+
+/// `__user_cap_data_struct`
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub struct CapabilitySets {
+    /// `__user_cap_data_struct.effective`
+    pub effective: CapabilityFlags,
+    /// `__user_cap_data_struct.permitted`
+    pub permitted: CapabilityFlags,
+    /// `__user_cap_data_struct.inheritable`
+    pub inheritable: CapabilityFlags,
+}
+
+bitflags! {
+    /// `CAP_*` constants.
+    pub struct CapabilityFlags: u64 {
+        /// `CAP_CHOWN`
+        const CHOWN = 1 << linux_raw_sys::general::CAP_CHOWN;
+        /// `CAP_DAC_OVERRIDE`
+        const DAC_OVERRIDE = 1 << linux_raw_sys::general::CAP_DAC_OVERRIDE;
+        /// `CAP_DAC_READ_SEARCH`
+        const DAC_READ_SEARCH = 1 << linux_raw_sys::general::CAP_DAC_READ_SEARCH;
+        /// `CAP_FOWNER`
+        const FOWNER = 1 << linux_raw_sys::general::CAP_FOWNER;
+        /// `CAP_FSETID`
+        const FSETID = 1 << linux_raw_sys::general::CAP_FSETID;
+        /// `CAP_KILL`
+        const KILL = 1 << linux_raw_sys::general::CAP_KILL;
+        /// `CAP_SETGID`
+        const SETGID = 1 << linux_raw_sys::general::CAP_SETGID;
+        /// `CAP_SETUID`
+        const SETUID = 1 << linux_raw_sys::general::CAP_SETUID;
+        /// `CAP_SETPCAP`
+        const SETPCAP = 1 << linux_raw_sys::general::CAP_SETPCAP;
+        /// `CAP_LINUX_IMMUTABLE`
+        const LINUX_IMMUTABLE = 1 << linux_raw_sys::general::CAP_LINUX_IMMUTABLE;
+        /// `CAP_NET_BIND_SERVICE`
+        const NET_BIND_SERVICE = 1 << linux_raw_sys::general::CAP_NET_BIND_SERVICE;
+        /// `CAP_NET_BROADCAST`
+        const NET_BROADCAST = 1 << linux_raw_sys::general::CAP_NET_BROADCAST;
+        /// `CAP_NET_ADMIN`
+        const NET_ADMIN = 1 << linux_raw_sys::general::CAP_NET_ADMIN;
+        /// `CAP_NET_RAW`
+        const NET_RAW = 1 << linux_raw_sys::general::CAP_NET_RAW;
+        /// `CAP_IPC_LOCK`
+        const IPC_LOCK = 1 << linux_raw_sys::general::CAP_IPC_LOCK;
+        /// `CAP_IPC_OWNER`
+        const IPC_OWNER = 1 << linux_raw_sys::general::CAP_IPC_OWNER;
+        /// `CAP_SYS_MODULE`
+        const SYS_MODULE = 1 << linux_raw_sys::general::CAP_SYS_MODULE;
+        /// `CAP_SYS_RAWIO`
+        const SYS_RAWIO = 1 << linux_raw_sys::general::CAP_SYS_RAWIO;
+        /// `CAP_SYS_CHROOT`
+        const SYS_CHROOT = 1 << linux_raw_sys::general::CAP_SYS_CHROOT;
+        /// `CAP_SYS_PTRACE`
+        const SYS_PTRACE = 1 << linux_raw_sys::general::CAP_SYS_PTRACE;
+        /// `CAP_SYS_PACCT`
+        const SYS_PACCT = 1 << linux_raw_sys::general::CAP_SYS_PACCT;
+        /// `CAP_SYS_ADMIN`
+        const SYS_ADMIN = 1 << linux_raw_sys::general::CAP_SYS_ADMIN;
+        /// `CAP_SYS_BOOT`
+        const SYS_BOOT = 1 << linux_raw_sys::general::CAP_SYS_BOOT;
+        /// `CAP_SYS_NICE`
+        const SYS_NICE = 1 << linux_raw_sys::general::CAP_SYS_NICE;
+        /// `CAP_SYS_RESOURCE`
+        const SYS_RESOURCE = 1 << linux_raw_sys::general::CAP_SYS_RESOURCE;
+        /// `CAP_SYS_TIME`
+        const SYS_TIME = 1 << linux_raw_sys::general::CAP_SYS_TIME;
+        /// `CAP_SYS_TTY_CONFIG`
+        const SYS_TTY_CONFIG = 1 << linux_raw_sys::general::CAP_SYS_TTY_CONFIG;
+        /// `CAP_MKNOD`
+        const MKNOD = 1 << linux_raw_sys::general::CAP_MKNOD;
+        /// `CAP_LEASE`
+        const LEASE = 1 << linux_raw_sys::general::CAP_LEASE;
+        /// `CAP_AUDIT_WRITE`
+        const AUDIT_WRITE = 1 << linux_raw_sys::general::CAP_AUDIT_WRITE;
+        /// `CAP_AUDIT_CONTROL`
+        const AUDIT_CONTROL = 1 << linux_raw_sys::general::CAP_AUDIT_CONTROL;
+        /// `CAP_SETFCAP`
+        const SETFCAP = 1 << linux_raw_sys::general::CAP_SETFCAP;
+        /// `CAP_MAC_OVERRIDE`
+        const MAC_OVERRIDE = 1 << linux_raw_sys::general::CAP_MAC_OVERRIDE;
+        /// `CAP_MAC_ADMIN`
+        const MAC_ADMIN = 1 << linux_raw_sys::general::CAP_MAC_ADMIN;
+        /// `CAP_SYSLOG`
+        const SYSLOG = 1 << linux_raw_sys::general::CAP_SYSLOG;
+        /// `CAP_WAKE_ALARM`
+        const WAKE_ALARM = 1 << linux_raw_sys::general::CAP_WAKE_ALARM;
+        /// `CAP_BLOCK_SUSPEND`
+        const BLOCK_SUSPEND = 1 << linux_raw_sys::general::CAP_BLOCK_SUSPEND;
+        /// `CAP_AUDIT_READ`
+        const AUDIT_READ = 1 << linux_raw_sys::general::CAP_AUDIT_READ;
+        /// `CAP_PERFMON`
+        const PERFMON = 1 << linux_raw_sys::general::CAP_PERFMON;
+        /// `CAP_BPF`
+        const BPF = 1 << linux_raw_sys::general::CAP_BPF;
+        /// `CAP_CHECKPOINT_RESTORE`
+        const CHECKPOINT_RESTORE = 1 << linux_raw_sys::general::CAP_CHECKPOINT_RESTORE;
+    }
+}
+
+/// `capget(_LINUX_CAPABILITY_VERSION_3, pid)`
+///
+/// # References
+///  - [Linux]
+///
+/// [Linux]: https://man7.org/linux/man-pages/man2/capget.2.html
+#[inline]
+#[doc(alias = "capget")]
+pub fn capabilities(pid: Option<Pid>) -> io::Result<CapabilitySets> {
+    capget(pid)
+}
+
+/// `capset(_LINUX_CAPABILITY_VERSION_3, pid, effective, permitted, inheritable)`
+///
+/// # References
+///  - [Linux]
+///
+/// [Linux]: https://man7.org/linux/man-pages/man2/capget.2.html
+#[inline]
+#[doc(alias = "capset")]
+pub fn set_capabilities(pid: Option<Pid>, sets: CapabilitySets) -> io::Result<()> {
+    capset(pid, sets)
+}
+
+#[inline]
+#[allow(unsafe_code)]
+fn capget(pid: Option<Pid>) -> io::Result<CapabilitySets> {
+    let mut data = [MaybeUninit::<linux_raw_sys::general::__user_cap_data_struct>::uninit(); 2];
+
+    let data = {
+        let mut header = linux_raw_sys::general::__user_cap_header_struct {
+            version: linux_raw_sys::general::_LINUX_CAPABILITY_VERSION_3,
+            pid: Pid::as_raw(pid) as backend::c::c_int,
+        };
+
+        backend::thread::syscalls::capget(&mut header, &mut data)?;
+        // SAFETY: v3 is a 64-bit implementation, so the kernel filled in both data structs.
+        unsafe { (data[0].assume_init(), data[1].assume_init()) }
+    };
+
+    {
+        // TODO: With Rust 1.53, we can use u32::BITS in the shifts.
+        const BITS: u32 = 32;
+        let effective = u64::from(data.0.effective) | (u64::from(data.1.effective) << BITS);
+        let permitted = u64::from(data.0.permitted) | (u64::from(data.1.permitted) << BITS);
+        let inheritable = u64::from(data.0.inheritable) | (u64::from(data.1.inheritable) << BITS);
+
+        // SAFETY: the kernel returns a partitioned bitset that we just combined above
+        Ok(CapabilitySets {
+            effective: unsafe { CapabilityFlags::from_bits_unchecked(effective) },
+            permitted: unsafe { CapabilityFlags::from_bits_unchecked(permitted) },
+            inheritable: unsafe { CapabilityFlags::from_bits_unchecked(inheritable) },
+        })
+    }
+}
+
+#[inline]
+fn capset(pid: Option<Pid>, sets: CapabilitySets) -> io::Result<()> {
+    // TODO: With Rust 1.53, we can use u32::BITS in the shifts.
+    const BITS: u32 = 32;
+
+    let mut header = linux_raw_sys::general::__user_cap_header_struct {
+        version: linux_raw_sys::general::_LINUX_CAPABILITY_VERSION_3,
+        pid: Pid::as_raw(pid) as backend::c::c_int,
+    };
+    let data = [
+        linux_raw_sys::general::__user_cap_data_struct {
+            effective: sets.effective.bits() as u32,
+            permitted: sets.permitted.bits() as u32,
+            inheritable: sets.inheritable.bits() as u32,
+        },
+        linux_raw_sys::general::__user_cap_data_struct {
+            effective: (sets.effective.bits() >> BITS) as u32,
+            permitted: (sets.permitted.bits() >> BITS) as u32,
+            inheritable: (sets.inheritable.bits() >> BITS) as u32,
+        },
+    ];
+
+    backend::thread::syscalls::capset(&mut header, &data)
+}

src/thread/mod.rs

@@ -7,6 +7,8 @@ mod futex;
 #[cfg(any(target_os = "android", target_os = "linux"))]
 mod id;
 #[cfg(any(target_os = "android", target_os = "linux"))]
+mod libcap;
+#[cfg(any(target_os = "android", target_os = "linux"))]
 mod prctl;
 #[cfg(any(target_os = "android", target_os = "linux"))]
 mod setns;
@@ -30,6 +32,8 @@ pub use futex::{futex, FutexFlags, FutexOperation};
 #[cfg(any(target_os = "android", target_os = "linux"))]
 pub use id::gettid;
 #[cfg(any(target_os = "android", target_os = "linux"))]
+pub use libcap::{capabilities, set_capabilities, CapabilityFlags, CapabilitySets};
+#[cfg(any(target_os = "android", target_os = "linux"))]
 pub use prctl::*;
 #[cfg(any(target_os = "android", target_os = "linux"))]
 pub use setns::*;