zsh-workers
 help / color / mirror / Atom feed
* [PATCH v2 1/3] Introduce new completion for Linux task capabilities
@ 2021-03-21 13:01 Arseny Maslennikov
  2021-03-21 13:01 ` [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux Arseny Maslennikov
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Arseny Maslennikov @ 2021-03-21 13:01 UTC (permalink / raw)
  To: zsh-workers; +Cc: Arseny Maslennikov

This is intended for use on Linux-based systems only.

The next patch introduces a completion for setpriv(1), which actively
uses this function. I believe some utilities that handle caps
may want to use it as well, albeit indirectly (neither setpriv(1) nor
setcap/getcap(8), for instance, want to offer the cap names themselves
as completion results; instead they want to prefix each name or a
comma-separated sequence of names).
---
Changes since v1:
* _capability_names is no longer shipped; users are encouraged to use
  _capabilities with compadd options as a match provider.

 Completion/Linux/Type/_capabilities | 65 +++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 Completion/Linux/Type/_capabilities

diff --git a/Completion/Linux/Type/_capabilities b/Completion/Linux/Type/_capabilities
new file mode 100644
index 000000000..8cb31878f
--- /dev/null
+++ b/Completion/Linux/Type/_capabilities
@@ -0,0 +1,65 @@
+#autoload
+
+# This function completes POSIX capabilities for Linux.
+# Many command line utilities expect different syntax to encode various kinds
+# of capability names or sets, so this function tries to be as generic as
+# possible. It accepts compadd options to allow variations on the exact
+# generated completion matches.
+#
+# Usage examples:
+#
+# Complete full capability names:
+#   _capabilities -p cap_
+# Sort the completion list by capability number:
+#   _capabilities -o nosort
+
+# The list of Linux capabilities is taken from include/uapi/linux/capability.h
+# and subject to the following pipe filter:
+# grep 'define CAP' | sed -r 's/^[[:space:]]*#define[[:space:]]+CAP_//; s/[[:space:]]+[0-9]+$//' | tr '[[:upper:]]' '[[:lower:]]'
+local -a caplist=(
+  chown
+  dac_override
+  dac_read_search
+  fowner
+  fsetid
+  kill
+  setgid
+  setuid
+  setpcap
+  linux_immutable
+  net_bind_service
+  net_broadcast
+  net_admin
+  net_raw
+  ipc_lock
+  ipc_owner
+  sys_module
+  sys_rawio
+  sys_chroot
+  sys_ptrace
+  sys_pacct
+  sys_admin
+  sys_boot
+  sys_nice
+  sys_resource
+  sys_time
+  sys_tty_config
+  mknod
+  lease
+  audit_write
+  audit_control
+  setfcap
+  mac_override
+  mac_admin
+  syslog
+  wake_alarm
+  block_suspend
+  audit_read
+  perfmon
+  bpf
+  checkpoint_restore
+)
+local -a expl
+
+_description capabilities expl "Linux capability"
+compadd "${(@)expl}" "$@" -a - caplist
-- 
2.31.0



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux
  2021-03-21 13:01 [PATCH v2 1/3] Introduce new completion for Linux task capabilities Arseny Maslennikov
@ 2021-03-21 13:01 ` Arseny Maslennikov
  2021-03-22 10:18   ` Mikael Magnusson
  2021-03-21 13:01 ` [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states Arseny Maslennikov
  2021-03-27 16:28 ` [PATCH v2 1/3] Introduce new completion for Linux task capabilities Lawrence Velázquez
  2 siblings, 1 reply; 8+ messages in thread
From: Arseny Maslennikov @ 2021-03-21 13:01 UTC (permalink / raw)
  To: zsh-workers; +Cc: Arseny Maslennikov

This is a utility from util-linux which sets or queries various Linux
process privilege settings that are inherited across execve(2). More
info is available in the corresponding manual page[1].

[1] https://man7.org/linux/man-pages/man1/setpriv.1.html
---
Changes since v1:
* Code style and grammar adjustments to comply with Etc/completion-style-guide.
* The code now uses compset -P to handle -/+ when completing caps and
  prctl securebits.
* The argument to --groups is completed correctly.
* In addition to named capabilities, the pattern cap_[0-9]+ is
  completed.

 Completion/Linux/Command/_setpriv | 100 ++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 Completion/Linux/Command/_setpriv

diff --git a/Completion/Linux/Command/_setpriv b/Completion/Linux/Command/_setpriv
new file mode 100644
index 000000000..f42e02cc8
--- /dev/null
+++ b/Completion/Linux/Command/_setpriv
@@ -0,0 +1,100 @@
+#compdef setpriv
+
+__setpriv_prctl_securebits_set_elements() {
+  local -a expl
+  local -a bits
+
+  bits=(
+      noroot noroot_locked
+      no_setuid_fixup no_setuid_fixup_locked
+      keep_caps_locked
+  )
+
+  if ! compset -P '[+-]'; then
+    _description minus-or-plus expl "-/+"
+    compadd "${(@)expl}" -qS '' {+,-}
+    return
+  fi
+
+  _description minus-plus-securebits expl "prctl securebit"
+  compadd "${(@)expl}" "$@" -a - bits
+}
+
+__setpriv_numbered_caps() {
+  # The cap_ prefix.
+  # We override the suffix from _sequence with -S '' to stay adjacent
+  # to the following number.
+  if ! compset -P cap_; then
+    compadd -S '' "$@" -n - cap_
+    return
+  fi
+  # A capability number; i.e. a non-negative integer.
+  # We can't complete integers, so no matches.
+  if ! compset -P '[0-9]##'; then
+    local -a expl
+    _description -x numbers expl "capability number"
+    compadd -S '' "${(@)expl}" -n -
+    return
+  fi
+  # The numbered cap expression is complete.
+  compadd "$@" -n - ''
+}
+
+__setpriv_cap_set_elements() {
+  # '-' or '+', followed by one of the following:
+  # - a capability name
+  # - the word 'all'
+  # - 'cap_[0-9]+' (to specify unknown capabilities).
+  if ! compset -P '[+-]'; then
+    local -a expl
+    _description minus-or-plus expl "-/+"
+    compadd "${(@)expl}" -qS '' {+,-}
+    return
+  fi
+
+  # We pass through compadd options generated by _sequence.
+  local -a sequence_argv=( "$@" )
+
+  _alternative -O sequence_argv \
+      'special-words:drop/obtain all caps:(all)' \
+      'capabilities: :_capabilities' \
+      'numbered-capabilities:cap_N:__setpriv_numbered_caps' \
+      #
+}
+
+__setpriv_death_signals() {
+  _alternative \
+      'special-words:keep or clear:(keep clear)' \
+      'signals:UNIX signal:_signals' \
+      #
+}
+
+local curcontext="$curcontext" state state_descr line
+typeset -A opt_args
+
+_arguments -C -S \
+  '(- : *)'{-h,--help}'[print help and exit]' \
+  '(- : *)'{-V,--version}'[print version information and exit]' \
+  '(- : *)*'{-d,--dump}'[display the current privilege state]' \
+  '(--groups --init-groups --keep-groups)--clear-groups[clear supplementary groups]' \
+  '(--clear-groups --init-groups --keep-groups)--groups[set supplementary groups]: : _sequence _groups' \
+  '(--clear-groups --groups --init-groups)--keep-groups[preserve supplementary groups]' \
+  '(--clear-groups --groups --keep-groups)--init-groups[initialize supplementary groups]' \
+  '--inh-caps[set inheritable caps]: : _sequence __setpriv_cap_set_elements' \
+  '--ambient-caps[set ambient caps]: : _sequence __setpriv_cap_set_elements' \
+  '--bounding-set[set the cap bounding set]: : _sequence __setpriv_cap_set_elements' \
+  '(- : *)--list-caps[list all known capabilities]' \
+  '--no-new-privs[set NO_NEW_PRIVS]' \
+  '--rgid[set real UNIX group id]:UNIX group:_groups' \
+  '--egid[set effective UNIX group id]:UNIX group:_groups' \
+  '--regid[set real and effective UNIX group id]:UNIX group:_groups' \
+  '--ruid[set real UNIX user id]:UNIX user:_users' \
+  '--euid[set effective UNIX user id]:UNIX user:_users' \
+  '--reuid[set real and effective UNIX user id]:UNIX user:_users' \
+  '--securebits[set "process securebits"]: : _sequence __setpriv_prctl_securebits_set_elements' \
+  '--pdeathsig[keep, clear, or set parent death signal]: : __setpriv_death_signals' \
+  '--selinux-label[request a selinux label]:SELinux labels: ' \
+  '--apparmor-profile[request an apparmor profile]:AppArmor profiles: ' \
+  '--reset-env[set environment as for a classic login shell]' \
+  '*:::command:_normal' \
+  #
-- 
2.31.0



^ permalink raw reply	[flat|nested] 8+ messages in thread

* [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states
  2021-03-21 13:01 [PATCH v2 1/3] Introduce new completion for Linux task capabilities Arseny Maslennikov
  2021-03-21 13:01 ` [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux Arseny Maslennikov
@ 2021-03-21 13:01 ` Arseny Maslennikov
  2021-03-27 16:28   ` Lawrence Velázquez
  2021-03-27 16:28 ` [PATCH v2 1/3] Introduce new completion for Linux task capabilities Lawrence Velázquez
  2 siblings, 1 reply; 8+ messages in thread
From: Arseny Maslennikov @ 2021-03-21 13:01 UTC (permalink / raw)
  To: zsh-workers; +Cc: Arseny Maslennikov

---
 Completion/Linux/Command/_setpriv | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Completion/Linux/Command/_setpriv b/Completion/Linux/Command/_setpriv
index f42e02cc8..d6fe428ba 100644
--- a/Completion/Linux/Command/_setpriv
+++ b/Completion/Linux/Command/_setpriv
@@ -72,10 +72,10 @@ __setpriv_death_signals() {
 local curcontext="$curcontext" state state_descr line
 typeset -A opt_args
 
-_arguments -C -S \
+_arguments -C -S -s \
   '(- : *)'{-h,--help}'[print help and exit]' \
   '(- : *)'{-V,--version}'[print version information and exit]' \
-  '(- : *)*'{-d,--dump}'[display the current privilege state]' \
+  '(- : *)'{-d,--dump}'[display the current privilege state]:*: :->option-dump' \
   '(--groups --init-groups --keep-groups)--clear-groups[clear supplementary groups]' \
   '(--clear-groups --init-groups --keep-groups)--groups[set supplementary groups]: : _sequence _groups' \
   '(--clear-groups --groups --init-groups)--keep-groups[preserve supplementary groups]' \
@@ -97,4 +97,11 @@ _arguments -C -S \
   '--apparmor-profile[request an apparmor profile]:AppArmor profiles: ' \
   '--reset-env[set environment as for a classic login shell]' \
   '*:::command:_normal' \
-  #
+  && return 0
+
+case $state in
+  option-dump)
+      _arguments -S '*'{-d,--dump}'[display the current privilege state]'
+      ;;
+  *) ;;
+esac
-- 
2.31.0



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux
  2021-03-21 13:01 ` [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux Arseny Maslennikov
@ 2021-03-22 10:18   ` Mikael Magnusson
  0 siblings, 0 replies; 8+ messages in thread
From: Mikael Magnusson @ 2021-03-22 10:18 UTC (permalink / raw)
  To: Arseny Maslennikov; +Cc: zsh-workers

On 3/21/21, Arseny Maslennikov <ar@cs.msu.ru> wrote:
> This is a utility from util-linux which sets or queries various Linux
> process privilege settings that are inherited across execve(2). More
> info is available in the corresponding manual page[1].
[...]
> +  if ! compset -P '[+-]'; then
> +    _description minus-or-plus expl "-/+"
> +    compadd "${(@)expl}" -qS '' {+,-}
[...]
> +    compadd "${(@)expl}" -qS '' {+,-}

{+,-} is exactly the same as + - so it's a little needlessly
complicated. That said I don't think it's worth resending just for
that... but if someone goes in there again to edit it, feel free to
change those.

-- 
Mikael Magnusson


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 1/3] Introduce new completion for Linux task capabilities
  2021-03-21 13:01 [PATCH v2 1/3] Introduce new completion for Linux task capabilities Arseny Maslennikov
  2021-03-21 13:01 ` [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux Arseny Maslennikov
  2021-03-21 13:01 ` [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states Arseny Maslennikov
@ 2021-03-27 16:28 ` Lawrence Velázquez
  2021-03-28 10:57   ` Oliver Kiddle
  2 siblings, 1 reply; 8+ messages in thread
From: Lawrence Velázquez @ 2021-03-27 16:28 UTC (permalink / raw)
  To: zsh-workers; +Cc: Arseny Maslennikov

On Sun, Mar 21, 2021, at 9:01 AM, Arseny Maslennikov wrote:
> This is intended for use on Linux-based systems only.
> 
> The next patch introduces a completion for setpriv(1), which actively
> uses this function. I believe some utilities that handle caps
> may want to use it as well, albeit indirectly (neither setpriv(1) nor
> setcap/getcap(8), for instance, want to offer the cap names themselves
> as completion results; instead they want to prefix each name or a
> comma-separated sequence of names).

ping for review

vq


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states
  2021-03-21 13:01 ` [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states Arseny Maslennikov
@ 2021-03-27 16:28   ` Lawrence Velázquez
  0 siblings, 0 replies; 8+ messages in thread
From: Lawrence Velázquez @ 2021-03-27 16:28 UTC (permalink / raw)
  To: zsh-workers; +Cc: Arseny Maslennikov

On Sun, Mar 21, 2021, at 9:01 AM, Arseny Maslennikov wrote:
> ---
>  Completion/Linux/Command/_setpriv | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)

ping for review

vq


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Re: [PATCH v2 1/3] Introduce new completion for Linux task capabilities
  2021-03-27 16:28 ` [PATCH v2 1/3] Introduce new completion for Linux task capabilities Lawrence Velázquez
@ 2021-03-28 10:57   ` Oliver Kiddle
  2021-03-29  6:38     ` Duplicated X-Seq? (was: Re: Re: [PATCH v2 1/3] Introduce new completion for Linux task capabilities) Daniel Shahaf
  0 siblings, 1 reply; 8+ messages in thread
From: Oliver Kiddle @ 2021-03-28 10:57 UTC (permalink / raw)
  To: zsh-workers, Arseny Maslennikov

Lawrence Velázquez wrote:
> On Sun, Mar 21, 2021, at 9:01 AM, Arseny Maslennikov wrote:
> > This is intended for use on Linux-based systems only.
> > 
> > The next patch introduces a completion for setpriv(1), which actively
> ping for review

I've committed the updated versions of these patches. Thanks Arseny for
contributing the functions and for dealing with our comments. If anyone
has further comments, they can be handled with additional patches on
top. I tweaked _setpriv in accordance with the point Mikael made about
brace expansion being pointless for {+,-}. That's in workers/48221 but
worryingly, that sequence number got somehow duplicated.

Oliver


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Duplicated X-Seq?  (was: Re: Re: [PATCH v2 1/3] Introduce new completion for Linux task capabilities)
  2021-03-28 10:57   ` Oliver Kiddle
@ 2021-03-29  6:38     ` Daniel Shahaf
  0 siblings, 0 replies; 8+ messages in thread
From: Daniel Shahaf @ 2021-03-29  6:38 UTC (permalink / raw)
  To: Oliver Kiddle; +Cc: zsh-workers

[Arseny to BCC]

Oliver Kiddle wrote on Sun, Mar 28, 2021 at 12:57:43 +0200:
> Lawrence Velázquez wrote:
> > On Sun, Mar 21, 2021, at 9:01 AM, Arseny Maslennikov wrote:
> > > This is intended for use on Linux-based systems only.
> > > 
> > > The next patch introduces a completion for setpriv(1), which actively
> > ping for review
> 
> I've committed the updated versions of these patches. Thanks Arseny for
> contributing the functions and for dealing with our comments. If anyone
> has further comments, they can be handled with additional patches on
> top. I tweaked _setpriv in accordance with the point Mikael made about
> brace expansion being pointless for {+,-}. That's in workers/48221 but
> worryingly, that sequence number got somehow duplicated.

How so?  «< /var/mail/archives grep \^X-Seq | grep -v ': 2' | grep -15 48221»
on the server shows no anomalies.

Cheers,

Daniel


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-03-29  6:39 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-21 13:01 [PATCH v2 1/3] Introduce new completion for Linux task capabilities Arseny Maslennikov
2021-03-21 13:01 ` [PATCH v2 2/3] Introduce new completion for setpriv(1) on Linux Arseny Maslennikov
2021-03-22 10:18   ` Mikael Magnusson
2021-03-21 13:01 ` [RFC PATCH v2 3/3] _setpriv: complete multiple --dump with argument states Arseny Maslennikov
2021-03-27 16:28   ` Lawrence Velázquez
2021-03-27 16:28 ` [PATCH v2 1/3] Introduce new completion for Linux task capabilities Lawrence Velázquez
2021-03-28 10:57   ` Oliver Kiddle
2021-03-29  6:38     ` Duplicated X-Seq? (was: Re: Re: [PATCH v2 1/3] Introduce new completion for Linux task capabilities) Daniel Shahaf

zsh-workers

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/zsh-workers

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 zsh-workers zsh-workers/ http://inbox.vuxu.org/zsh-workers \
		zsh-workers@zsh.org
	public-inbox-index zsh-workers

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.zsh.workers


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/zsh/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git