Can capabilities be specified in Debian packages

capabilitiesdebpackaging

Since RPM 4.7, there has been the ability to specify that a file in an RPM package should be installed with capabilities set (via %caps).

Is there a similar feature for Debian packages?

Best Answer

Sadly, no. There isn't a way to make dpkg use file capabilities, and apparently nobody has ever asked, though the library itself is available.

I skimmed through the Debian Policy Manual, and there isn't a single entry that reference this feature. That said, you can use dh_override_install (if you use debhelper), pre/post maintainer scripts or modifying the debian/rules file to reproduce this behavior, but I don't see any obviously easy way to implement it.

Related Solutions

Linux – Passing Capabilities Through exec

It turns out that setting +i on the wrapper does not add the capability to the CAP_INHERITABLE set for the wrapper process, thus it is not passed through exec. I therefore had to manually add CAP_DAC_OVERRIDE to CAP_INHERITABLE before calling execl:

#include <sys/capability.h>
#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv[]) {
    cap_t caps = cap_get_proc();
    printf("Capabilities: %s\n", cap_to_text(caps, NULL));
    cap_value_t newcaps[1] = { CAP_DAC_OVERRIDE, };
    cap_set_flag(caps, CAP_INHERITABLE, 1, newcaps, CAP_SET);
    cap_set_proc(caps);
    printf("Capabilities: %s\n", cap_to_text(caps, NULL));
    cap_free(caps);
    return execl("/usr/bin/net", "net", "ads", "dns", "register", "-P", NULL);
}

In addition, I had to add cap_dac_override to the permitted file capabilities set on /usr/bin/net and set the effective bit:

~ $ sudo setcap cap_dac_override=p ./registerdns
~ $ sudo setcap cap_dac_override=ei /usr/bin/net
~ $ ./registerdns
Capabilities = cap_dac_override+p
Capabilities = cap_dac_override+ip
Successfully registered hostname with DNS

I think I now fully understand what's happening:

The wrapper needs CAP_DAC_OVERRIDE in its permitted set so it can add it to its inheritable set.
The wrapper's process inheritable set is different than its file inheritable set, so setting +i on the file is useless; the wrapper must explicitly add CAP_DAC_OVERRIDE to CAP_INHERITABLE using cap_set_flag/cap_set_proc.
The net file needs to have CAP_DAC_OVERRIDE in its inheritable set so that it can in fact inherit the capability from the wrapper into its CAP_PERMITTED set. It also needs the effective bit to be set so that it will be automatically promoted to CAP_EFFECTIVE.

Debian – CPU optimized compiled debian packages

If you want to build specific packages according to your own liking, you could use the Gentoo prefix project. It allows you to compile and install packages to a specific directory, as a regular user. This way you can enjoy the flexibility and repositories of Gentoo, without breaking or changing your system.

Best Answer

Related Solutions

Linux – Passing Capabilities Through exec

Debian – CPU optimized compiled debian packages

Related Question