Beginnings of file capability (POSIX.1e draft 15) verification support

- add minimal bits and pieces to check for capabilities in files on verify
- for now, any capability set is a verification failure as the capability
  cannot have been set by rpm itself
- patch from Andreas Gruenbacher, modified to use libcap instead of raw
  xattrs for portability

8 files changed, 60 insertions, 6 deletions

diff --git a/build/files.c b/build/files.c
index dbef8be64..f4b201425 100644
--- a/build/files.c
+++ b/build/files.c
@@ -261,6 +261,7 @@ static VFA_t const verifyAttrs[] = {
     { "mtime",	0,	RPMVERIFY_MTIME },
     { "mode",	0,	RPMVERIFY_MODE },
     { "rdev",	0,	RPMVERIFY_RDEV },
+    { "caps",	0,	RPMVERIFY_CAPS },
     { NULL, 0,	0 }
 };
 
diff --git a/configure.ac b/configure.ac
index c86d06d5b..28d12457c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -738,6 +738,32 @@ AS_IF([test "$with_selinux" = yes],[
 AC_SUBST(WITH_SELINUX_LIB)
 AM_CONDITIONAL(SELINUX,[test "$with_selinux" = yes])
 
+# libcap
+WITH_CAP_LIB=
+AC_ARG_WITH(cap, [  --with-cap              build with capability support ],
+[case "$with_cap" in
+yes|no) ;;
+*) AC_MSG_ERROR([invalid argument to --with-cap])
+  ;;
+esac],
+[with_cap=no])
+
+AS_IF([test "$with_cap" = yes],[
+  AC_CHECK_HEADER([sys/capability.h],[
+    AC_CHECK_LIB(cap,[cap_get_file],[with_cap=yes],[
+      AC_MSG_ERROR([--with-cap given, but libcap not found])])
+  ],[
+    AC_MSG_ERROR([--with-cap given, but sys/capability.h not found])
+  ])
+])
+
+AS_IF([test "$with_cap" = yes],[
+  AC_DEFINE(WITH_CAP, 1, [Build with capability support?])
+  WITH_CAP_LIB="-lcap"
+])
+AC_SUBST(WITH_CAP_LIB)
+AM_CONDITIONAL(CAP,[test "$with_cap" = yes])
+
 WITH_LUA_LIB=
 WITH_LUA_INCLUDE=
 AC_ARG_WITH(lua, [  --with-lua              build with lua support ],,[with_lua=yes])
diff --git a/doc/rpm.8 b/doc/rpm.8
index 0d3965899..ef8181b17 100644
--- a/doc/rpm.8
+++ b/doc/rpm.8
@@ -91,6 +91,7 @@ rpm \- RPM Package Manager
  [\fB--nodigest\fR] [\fB--nosignature\fR]
  [\fB--nolinkto\fR] [\fB--nomd5\fR] [\fB--nosize\fR] [\fB--nouser\fR]
  [\fB--nogroup\fR] [\fB--nomtime\fR] [\fB--nomode\fR] [\fB--nordev\fR]
+ [\fB--nocaps\fR]
 
 .SS "install-options"
 .PP
@@ -718,6 +719,7 @@ the corresponding \fB--verify\fR test:
 \fBU\fR \fBU\fRser ownership differs
 \fBG\fR \fBG\fRroup ownership differs
 \fBT\fR m\fBT\fRime differs
+\fBP\fR ca\fBP\fRabilities differ
 .fi
 
 .SS "DIGITAL SIGNATURE AND DIGEST VERIFICATION"
diff --git a/lib/Makefile.am b/lib/Makefile.am
index cb4f37690..6befe8637 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -47,6 +47,7 @@ librpm_la_LIBADD = \
 	@WITH_POPT_LIB@ \
 	@WITH_SELINUX_LIB@ \
 	@WITH_SQLITE3_LIB@ \
+	@WITH_CAP_LIB@ \
 	@LIBINTL@
 
 if WITH_INTERNAL_DB
diff --git a/lib/poptQV.c b/lib/poptQV.c
index 36ed17ec4..44730fd97 100644
--- a/lib/poptQV.c
+++ b/lib/poptQV.c
@@ -295,6 +295,9 @@ struct poptOption rpmVerifyPoptTable[] = {
  { "nordev", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
 	&rpmQVKArgs.qva_flags, VERIFY_RDEV,
         N_("don't verify mode of files"), NULL },
+ { "nocaps", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN,
+	&rpmQVKArgs.qva_flags, VERIFY_CAPS,
+	N_("don't verify capabilities of files"), NULL },
 
  { "nocontexts", '\0', POPT_ARGFLAG_DOC_HIDDEN, NULL, RPMCLI_POPT_NOCONTEXTS,
 	N_("don't verify file security contexts"), NULL },
diff --git a/lib/rpmvf.h b/lib/rpmvf.h
index ff3ebc676..55c7e9c97 100644
--- a/lib/rpmvf.h
+++ b/lib/rpmvf.h
@@ -24,7 +24,8 @@ typedef enum rpmVerifyAttrs_e {
     RPMVERIFY_MTIME	= (1 << 5),	/*!< from %verify(mtime) */
     RPMVERIFY_MODE	= (1 << 6),	/*!< from %verify(mode) */
     RPMVERIFY_RDEV	= (1 << 7),	/*!< from %verify(rdev) */
-	/* bits 8-14 unused, reserved for rpmVerifyAttrs */
+    RPMVERIFY_CAPS	= (1 << 8),	/*!< from %verify(caps) */
+	/* bits 9-14 unused, reserved for rpmVerifyAttrs */
     RPMVERIFY_CONTEXTS	= (1 << 15),	/*!< verify: from --nocontexts */
 	/* bits 16-22 used in rpmVerifyFlags */
 	/* bits 23-27 used in rpmQueryFlags */
@@ -50,7 +51,8 @@ typedef enum rpmVerifyFlags_e {
     VERIFY_MTIME	= (1 << 5),	/*!< from --nomtime */
     VERIFY_MODE		= (1 << 6),	/*!< from --nomode */
     VERIFY_RDEV		= (1 << 7),	/*!< from --nodev */
-	/* bits 8-14 unused, reserved for rpmVerifyAttrs */
+    VERIFY_CAPS		= (1 << 8),	/*!< from --nocaps */
+	/* bits 9-14 unused, reserved for rpmVerifyAttrs */
     VERIFY_CONTEXTS	= (1 << 15),	/*!< verify: from --nocontexts */
     VERIFY_FILES	= (1 << 16),	/*!< verify: from --nofiles */
     VERIFY_DEPS		= (1 << 17),	/*!< verify: from --nodeps */
@@ -69,7 +71,7 @@ typedef enum rpmVerifyFlags_e {
 
 #define	VERIFY_ATTRS	\
   ( VERIFY_MD5 | VERIFY_SIZE | VERIFY_LINKTO | VERIFY_USER | VERIFY_GROUP | \
-    VERIFY_MTIME | VERIFY_MODE | VERIFY_RDEV | VERIFY_CONTEXTS )
+    VERIFY_MTIME | VERIFY_MODE | VERIFY_RDEV | VERIFY_CONTEXTS | VERIFY_CAPS )
 #define	VERIFY_ALL	\
   ( VERIFY_ATTRS | VERIFY_FILES | VERIFY_DEPS | VERIFY_SCRIPT | VERIFY_DIGEST |\
     VERIFY_SIGNATURE | VERIFY_HDRCHK )
diff --git a/lib/verify.c b/lib/verify.c
index 18650265e..da485c835 100644
--- a/lib/verify.c
+++ b/lib/verify.c
@@ -167,6 +167,20 @@ int rpmVerifyFile(const rpmts ts, const rpmfi fi,
 	} 
     }
 
+#if WITH_CAP
+    if (flags & RPMVERIFY_CAPS) {
+	/*
+	 * For now, any capabilities on a file is a difference as rpm
+	 * cannot have set them.
+	 */
+	cap_t fcap = cap_get_file(fn);
+	if (fcap != NULL) {
+	    *res |= RPMVERIFY_CAPS;
+	    cap_free(fcap);
+	}
+    }
+#endif
+
     if (flags & RPMVERIFY_MTIME) {
 	if (sb.st_mtime != rpmfiFMtime(fi))
 	    *res |= RPMVERIFY_MTIME;
@@ -273,7 +287,7 @@ static int verifyHeader(QVA_t qva, const rpmts ts, rpmfi fi)
 	    }
 	} else if (verifyResult || rpmIsVerbose()) {
 	    const char * size, * MD5, * link, * mtime, * mode;
-	    const char * group, * user, * rdev;
+	    const char * group, * user, * rdev, *caps;
 	    static const char *const aok = ".";
 	    static const char *const unknown = "?";
 
@@ -296,13 +310,14 @@ static int verifyHeader(QVA_t qva, const rpmts ts, rpmfi fi)
 	    user = _verify(RPMVERIFY_USER, "U");
 	    group = _verify(RPMVERIFY_GROUP, "G");
 	    mode = _verify(RPMVERIFY_MODE, "M");
+	    caps = _verify(RPMVERIFY_CAPS, "P");
 
 #undef _verifyfile
 #undef _verifylink
 #undef _verify
 
-	    rasprintf(&buf, "%s%s%s%s%s%s%s%s  %c %s",
-			size, mode, MD5, rdev, link, user, group, mtime,
+	    rasprintf(&buf, "%s%s%s%s%s%s%s%s%s  %c %s",
+			size, mode, MD5, rdev, link, user, group, mtime, caps,
 			((fileAttrs & RPMFILE_CONFIG)	? 'c' :
 			 (fileAttrs & RPMFILE_DOC)	? 'd' :
 			 (fileAttrs & RPMFILE_GHOST)	? 'g' :
diff --git a/system.h b/system.h
index e0e750f7f..5a3c64dbd 100644
--- a/system.h
+++ b/system.h
@@ -227,6 +227,10 @@ void * _free(void * p)
     return NULL;
 }
 
+#if WITH_CAP
+#include <sys/capability.h>
+#endif
+
 /**
  * Wrapper to free(3), permit NULL, return NULL. 
  * For documenting cases where const is used to protect long-lived