Comments (11)
lucab
commented on July 23, 2024
errors in caps-rs that I suspect are due to the absence of armv7 target references in nr.rs
Correct, I was not planning to support legacy architectures. But if you need this and tests are fine, we can add it.
why target_arch must be arm for and not armv7 (as I'm using armv7-unknown-linux-gnueabihf)
Because those are compiler configurations which refer to the OS environment (i.e. Linux ABI) and not to the assembler target (ie. CPU instruction set and features). You can check it with rustc --print cfg.
I guessed (!) that CAPGET==184 and CAPSET==185 but was unable to find a syscall list
No need to guess, you can grep -rn __NR_capset /usr/include/. I don't have any armv7 box to check directly, but from other references I've seen those values should be correct.
If you care about this, can you please submit a PR just with the above snippet? I'd also need you to run a cargo test as root on that machine to check all the other details are fine.
from caps-rs.
lucab
commented on July 23, 2024
@DazWilkin bump on this, any updates?
from caps-rs.
DazWilkin
commented on July 23, 2024
I'm entirely unfamiliar with Rust and mostly unfamiliar with Linux syscall programming.
I tweaked cap-rs to get railcar to compile on the armv7 device and was successful with that but I'm not well-placed to submit a PR for this.
Good luck!
from caps-rs.
lucab
commented on July 23, 2024
@DazWilkin thanks anyway. The patch itself is easy, but the part I was lacking is a real armv7 device to run the testsuite as root. I guess I'll try to crosscompile the testsuite and then dig in my pile of dusty devices to find a suitable board.
from caps-rs.
DazWilkin
commented on July 23, 2024
I would be more than happy to help by running running the tests.
I have >=2 armv7 devices: I was using a NanoPI M3 for this work and I have a Raspberrry Pi 2.
Just let me know what you'd like me to do and I shall.
from caps-rs.
aep
commented on July 23, 2024
the suggested patch doesnt work for on android-arm.
I'm not sure why tho, the numbers seem correct.
adb shell /data/ambient-a9b3ef4fc24a37cc
running 7 tests
test test_ambient_read ... FAILED
test test_ambient_drop ... FAILED
test test_ambient_drop_other ... ok
test test_ambient_clear ... FAILED
test test_ambient_has_cap ... FAILED
test test_ambient_raise ... FAILED
test test_ambient_set ... FAILED
failures:
---- test_ambient_read stdout ----
thread 'test_ambient_read' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_IS_SET error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
note: Run with `RUST_BACKTRACE=1` for a backtrace.
---- test_ambient_drop stdout ----
thread 'test_ambient_drop' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_LOWER error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
---- test_ambient_clear stdout ----
thread 'test_ambient_clear' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_CLEAR_ALL error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
---- test_ambient_has_cap stdout ----
thread 'test_ambient_has_cap' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_IS_SET error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
---- test_ambient_raise stdout ----
thread 'test_ambient_raise' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_RAISE error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
---- test_ambient_set stdout ----
thread 'test_ambient_set' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_LOWER error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
from caps-rs.
lucab
commented on July 23, 2024
@aep are ambient capabilities the only failing ones? They are not affected by the above syscall constants, so it is probably something else. Which kernel is that running? Ambient caps require >= 4.3.
from caps-rs.
aep
commented on July 23, 2024
@lucab well things are never that easy on android...
101|bullhead:/ # uname -a
Linux localhost 3.10.73-g51dd5dcc9df4-00019-gf7f204743ab9 #1 SMP PREEMPT Wed Jan 11 01:56:00 UTC 2017 aarch64
bullhead:/ # /data/effective-874d67abd44f6bfe
running 6 tests
test test_effective_clear ... ok
test test_effective_drop ... ok
test test_effective_has_cap ... ok
test test_effective_raise ... ok
test test_effective_read ... ok
test test_effective_set ... FAILED
failures:
---- test_effective_set stdout ----
thread 'test_effective_set' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAP_AMBIENT_LOWER error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
note: Run with `RUST_BACKTRACE=1` for a backtrace.
failures:
test_effective_set
test result: FAILED. 5 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out
running 7 tests
test test_bounding_drop_other ... ok
test test_bounding_has_cap ... ok
test test_bounding_raise ... ok
test test_bounding_drop ... FAILED
test test_bounding_clear ... FAILED
test test_bounding_read ... FAILED
test test_bounding_set ... ok
failures:
---- test_bounding_drop stdout ----
thread 'test_bounding_drop' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAPBSET_READ error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
note: Run with `RUST_BACKTRACE=1` for a backtrace.
---- test_bounding_clear stdout ----
thread 'test_bounding_clear' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAPBSET_READ error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
---- test_bounding_read stdout ----
thread 'test_bounding_read' panicked at 'called `Result::unwrap()` on an `Err` value: Error(Msg("PR_CAPBSET_READ error -1"), State { next_error: None })', /checkout/src/libcore/result.rs:860
failures:
test_bounding_clear
test_bounding_drop
test_bounding_read
test result: FAILED. 4 passed; 3 failed; 0 ignored; 0 measured; 0 filtered out
from caps-rs.
lucab
commented on July 23, 2024
@aep thanks for rechecking, given your ancient kernel those failures should be expected:
test test_effective_set ... FAILED
This is due to your kernel missing PR_CAP_AMBIENT in prctl(2).
test test_bounding_drop ... FAILED
test test_bounding_clear ... FAILED
test test_bounding_read ... FAILED
Those are due to your kernel missing CAP_AUDIT_READ in capabilities(7).
In the end:
- the initially proposed snippet is enough to accomodate arm, I'll just push a PR for that
- this crate could handle missing kernel features more gracefully, but the doc is quite clear that this is intended to target modern kernels.
from caps-rs.
aep
commented on July 23, 2024
Cool.
Not sure I agree with "targeting modern kernels". This crate is the defacto standard and I'd rather not have another one for embedded devices where outdated kernels are standard.
Not sure what to do about it tho. Any idea what "graceful" could look like?
from caps-rs.
lucab
commented on July 23, 2024
@aep I have to check what is safely feasible for detection&downgrade, it probably includes better bubbling-up of errno->Error but I have to do some investigation first. I'm moving this discussion to #4.
At the moment "modern kernel" means >= 3.16 generally, and >= 4.3 more strictly to use the ambient set.
from caps-rs.
Related Issues (19)
- legacy: gracefully handle missing sets and capabilities HOT 1
- ambient: add ambient_set_supported() HOT 1
- Upgrading to macro_attr 0.2 HOT 2
- Type error on x86_32 HOT 4
- Expose errno on failure
- Support PR_SET_KEEPCAPS HOT 3
- Permitted set can be cleared but not set HOT 2
- securebits: add support for all flags HOT 2
- Darwin/BSD support – even possible? HOT 1
- Build failure on powerpc64 and mips64 HOT 5
- LICENSE files are missing HOT 1
- nr: track CAP_BPF and CAP_PERFMON HOT 2
- nr: track CAP_CHECKPOINT_RESTORE
- Using strum to denoise `Capability` enum HOT 2
- Release 0.5.3 HOT 3
- Elaborate on error handling HOT 1
- Unhelpful error message when attempting to un`set` Permitted capabilities HOT 1
- Consider switching to bitflags HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caps-rs.