id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4559	libcap-2.28	Bruce Dubbs	lfs-book	"New minor version.

Release notes for 2.28

- The big new feature of this release relates to POSIX syscall behavior for pthreads:
  - That is, introduced a library libpsx that can emulate POSIX syscalls for all pthreads
  - You might think that this is already the case from Glibc's nptl:setxid functionality,  
    but alas no. Glibc only supports 9 syscalls with this abstraction and none of them  
    involve prctl() support, or capset(). So, while traditional legacy things like  
    setuid() work, libcap's capability manipulation mediated through the glibc syscalls  
    was still tied to individual threads...
  - TL;DR with gcc linker flags, "" -lpsx -Wl,-wrap,pthread_create "" (or the ld equivalent  
    "" -lpsx -wrap=pthread_create ""), you can get libcap to observe POSIX semantics  
    sharing capability and prctl state over all pthreads.
- Also added a pair of golang packages implementing libcap/cap and libcap/psx 
  (preview no install targets yet).
  - Writing this caused me to delve into the unfortunate state of threads and 
    privilege handling in Go, which in turn led me to investigate the detail 
    of how Glibc was not supporting libcap.
  - Wrote a golang runtime/syscall/cgo patch to implement POSIX semantics for 
    system calls in native Go on linux (see contrib/golang)
  - Wrote a tiny webserver to demonstrate/debug how Go's native privilege handling 
    was failing and could work with above patch
  - Found a way to conditionally link -lpsx to the libcap/cap Go package to fully 
    support capabilities via cgo (in lieu of syscall.PosixSyscall() not being upstream yet).
- libcap/Makefile: Handle old gperf versions 
- More rigor on the unsigned nature of shifted bit masks in libcap
- Minor cleanup to libcap's cap_to_text handling code.
"	task	closed	normal	9.1	Book	SVN	normal	fixed