blob: 196f2f6271a6960c8bb246d15ac833475b4fe8b9 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#compdef setpriv
__setpriv_prctl_securebits_set_elements() {
local -a expl
local -a bits
bits=(
noroot noroot_locked
no_setuid_fixup no_setuid_fixup_locked
keep_caps_locked
)
if ! compset -P '[+-]'; then
_description minus-or-plus expl "-/+"
compadd "${(@)expl}" -qS '' {+,-}
return
fi
_description minus-plus-securebits expl "prctl securebit"
compadd "${(@)expl}" "$@" -a - bits
}
__setpriv_numbered_caps() {
# The cap_ prefix.
# We override the suffix from _sequence with -S '' to stay adjacent
# to the following number.
if ! compset -P cap_; then
compadd -S '' "$@" -n - cap_
return
fi
# A capability number; i.e. a non-negative integer.
# We can't complete integers, so no matches.
if ! compset -P '[0-9]##'; then
local -a expl
_description -x numbers expl "capability number"
compadd -S '' "${(@)expl}" -n -
return
fi
# The numbered cap expression is complete.
compadd "$@" -n - ''
}
__setpriv_cap_set_elements() {
# '-' or '+', followed by one of the following:
# - a capability name
# - the word 'all'
# - 'cap_[0-9]+' (to specify unknown capabilities).
if ! compset -P '[+-]'; then
local -a expl
_description minus-or-plus expl "-/+"
compadd "${(@)expl}" -qS '' + -
return
fi
# We pass through compadd options generated by _sequence.
local -a sequence_argv=( "$@" )
_alternative -O sequence_argv \
'special-words:drop/obtain all caps:(all)' \
'capabilities: :_capabilities' \
'numbered-capabilities:cap_N:__setpriv_numbered_caps' \
#
}
__setpriv_death_signals() {
_alternative \
'special-words:keep or clear:(keep clear)' \
'signals:UNIX signal:_signals' \
#
}
local curcontext="$curcontext" state state_descr line
typeset -A opt_args
_arguments -C -S -s \
'(- : *)'{-h,--help}'[print help and exit]' \
'(- : *)'{-V,--version}'[print version information and exit]' \
'(- : *)'{-d,--dump}'[display the current privilege state]:*: :->option-dump' \
'(--groups --init-groups --keep-groups)--clear-groups[clear supplementary groups]' \
'(--clear-groups --init-groups --keep-groups)--groups[set supplementary groups]: : _sequence _groups' \
'(--clear-groups --groups --init-groups)--keep-groups[preserve supplementary groups]' \
'(--clear-groups --groups --keep-groups)--init-groups[initialize supplementary groups]' \
'--inh-caps[set inheritable caps]: : _sequence __setpriv_cap_set_elements' \
'--ambient-caps[set ambient caps]: : _sequence __setpriv_cap_set_elements' \
'--bounding-set[set the cap bounding set]: : _sequence __setpriv_cap_set_elements' \
'(- : *)--list-caps[list all known capabilities]' \
'--no-new-privs[set NO_NEW_PRIVS]' \
'--rgid[set real UNIX group id]:UNIX group:_groups' \
'--egid[set effective UNIX group id]:UNIX group:_groups' \
'--regid[set real and effective UNIX group id]:UNIX group:_groups' \
'--ruid[set real UNIX user id]:UNIX user:_users' \
'--euid[set effective UNIX user id]:UNIX user:_users' \
'--reuid[set real and effective UNIX user id]:UNIX user:_users' \
'--securebits[set "process securebits"]: : _sequence __setpriv_prctl_securebits_set_elements' \
'--pdeathsig[keep, clear, or set parent death signal]: : __setpriv_death_signals' \
'--selinux-label[request a selinux label]:SELinux labels: ' \
'--apparmor-profile[request an apparmor profile]:AppArmor profiles: ' \
'--reset-env[set environment as for a classic login shell]' \
'*:::command:_normal' \
&& return 0
case $state in
option-dump)
_arguments -S '*'{-d,--dump}'[display the current privilege state]'
;;
*) ;;
esac
|
