|Reported by:||Bruce Dubbs||Owned by:||lfs-book|
New minor version.
Release notes for 2.28
- The big new feature of this release relates to POSIX syscall behavior for pthreads:
- That is, introduced a library libpsx that can emulate POSIX syscalls for all pthreads
- You might think that this is already the case from Glibc's nptl:setxid functionality, but alas no. Glibc only supports 9 syscalls with this abstraction and none of them involve prctl() support, or capset(). So, while traditional legacy things like setuid() work, libcap's capability manipulation mediated through the glibc syscalls was still tied to individual threads...
- TL;DR with gcc linker flags, " -lpsx -Wl,-wrap,pthread_create " (or the ld equivalent " -lpsx -wrap=pthread_create "), you can get libcap to observe POSIX semantics sharing capability and prctl state over all pthreads.
- Also added a pair of golang packages implementing libcap/cap and libcap/psx
(preview no install targets yet).
- Writing this caused me to delve into the unfortunate state of threads and privilege handling in Go, which in turn led me to investigate the detail of how Glibc was not supporting libcap.
- Wrote a golang runtime/syscall/cgo patch to implement POSIX semantics for system calls in native Go on linux (see contrib/golang)
- Wrote a tiny webserver to demonstrate/debug how Go's native privilege handling was failing and could work with above patch
- Found a way to conditionally link -lpsx to the libcap/cap Go package to fully support capabilities via cgo (in lieu of syscall.PosixSyscall() not being upstream yet).
- libcap/Makefile: Handle old gperf versions
- More rigor on the unsigned nature of shifted bit masks in libcap
- Minor cleanup to libcap's cap_to_text handling code.
Note: See TracTickets for help on using tickets.