WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: linux file capabilities with extensions  (Read 961 times)

Offline yvs

  • Jr. Member
  • **
  • Posts: 65
linux file capabilities with extensions
« on: July 05, 2024, 02:08:30 PM »
Hi everyone,

is there a way to set some (linux) capabilities on a file with squashfs?

a bit more: I've built some net utility from git source and wrapped it in .tcz extension. It's kind of ping/traceroute (a mtr fork) utility, so that it needs to work with raw sockets.
It can be usually achieved in three ways:
1) a most common way: setcap cap_net_raw=ep on binary to allow all users to work with pings
2) it's allowed to user apps without any extra capabilities by default kernel settings (sysctl net.ipv4.ping_group_range)
3) granted by setuid on binary

On TinyCoreLinux installation setcap works on a regular fs (setcap from libcap.tcz extension) and it looks like linux caps are not supported on squashfs (it works there only with setuid setting).
Is there only way with setuid if that's wrapped in an extension?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11049
Re: linux file capabilities with extensions
« Reply #1 on: July 06, 2024, 02:27:34 AM »
Yes, I believe suid only.
The only barriers that can stop you are the ones you create yourself.

Offline patrikg

  • Wiki Author
  • Hero Member
  • *****
  • Posts: 722
Re: linux file capabilities with extensions
« Reply #2 on: July 06, 2024, 03:02:03 AM »
When installing tcz files in tiny core you can make a script file that being executed when you install the extension, maybe you can use that to set the file to corresponding access rights.
https://wiki.tinycorelinux.net/doku.php?id=wiki:creating_extensions#adding_custom_startup_scripts

Offline yvs

  • Jr. Member
  • **
  • Posts: 65
Re: linux file capabilities with extensions
« Reply #3 on: July 06, 2024, 04:22:58 PM »
> When installing tcz files in tiny core you can make a script file that being executed when you install the extension
>
  thank you for suggestion, but there's no need in a postinstall script, tcz squashfs can keep extended attributtes itself, it was q about howto make FS support them

Offline yvs

  • Jr. Member
  • **
  • Posts: 65
Re: linux file capabilities with extensions
« Reply #4 on: July 06, 2024, 04:34:14 PM »
> Yes, I believe suid only.
>
   There's a workaround and kinda straightforward solution:
1) workaround: using an extension from a regular FS like
Quote
tc@box:~$ mkdir /home/tc/mtr085
tc@box:~$ sudo unsquashfs -x -dest /home/tc/mtr085 /mnt/sda1/tce/optional/mtr085.tcz
tc@box:~$ getcap /home/tc/mtr085/usr/local/sbin/mtr
/home/tc/mtr085/usr/local/sbin/mtr = cap_net_raw+ep

2) It took some time to get it work with mount tools:
  - build squashfs module with xattr support (CONFIG_SQUASHFS_XATTR=y)
  - repack core with built squasfs module from previous step (or just reload squashfs module on booted system)
  in result it allows to use std `tce-load` script to mount it, in my experiments it was like
Quote
tc@box:~$ tce-load -i mtr085
tc@box:~$ getcap /tmp/tcloop/mtr085/usr/local/sbin/mtr
/tmp/tcloop/mtr085/usr/local/sbin/mtr = cap_net_raw+ep

Offline yvs

  • Jr. Member
  • **
  • Posts: 65
Re: linux file capabilities with extensions
« Reply #5 on: July 07, 2024, 06:08:53 PM »
to complete this extended file attribute topic

xattr support in current releases by arch:
- x86: by default there's neither support in kernel module nor support in squashfs-tools (it works with rebuild)
- x86_64: by default there's no support in kernel module but already supported with squashfs-tools (need to rebuild squashfs module only)
- armv7l: support is already present in squashfs kernel module and in squashfs-tools as well