fcaps.eclass
Description
This eclass provides a function to set file-based capabilities on binaries.
This is not the same as USE=caps which controls runtime capability changes,
often via packages like libcap.
Due to probable capability-loss on moving or copying, this happens in
pkg_postinst phase (at least for now).
Example
You can manually set the caps on ping and ping6 by doing:
pkg_postinst() {
fcaps cap_net_raw bin/ping bin/ping6
}
Or set it via the global ebuild var FILECAPS:
FILECAPS=(
cap_net_raw bin/ping bin/ping6
)
Functions
- fcaps [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] <capabilities> <file[s]>
-
Sets the specified capabilities on the specified files.
The caps option takes the form as expected by the
cap_from_text``(3) man page. If no action is specified, then ``=epwill be used as a default.If the file is a relative path (e.g.
bin/foorather than/bin/foo), then the appropriate path var ($D/$ROOT/etc...) will be prefixed based on the current ebuild phase.The caps mode (default 711) is used to set the permission on the file if capabilities were properly set on the file.
If the system is unable to set capabilities, it will use the specified user, group, and mode (presumably to make the binary
set*id). The defaults there are 0:0 and 4711. Otherwise, the ownership and permissions will be unchanged. - fcaps_pkg_postinst
-
Process the
FILECAPSarray.
Variables
- FILECAPS
-
An array of
fcaparguments to use to automatically executefcaps. See that function for more details.All args are consumed until the
--marker is found. So if you have:FILECAPS=( moo cow -- fat cat -- chubby penguin )This will end up executing:
fcaps moo cow fcaps fat cat fcaps chubby penguinNote: If you override
pkg_postinst, you must callfcaps_pkg_postinstyourself.
Reporting Bugs
Please report bugs via https://bugs.gentoo.org/