/* n.b. yes I know I should be using libcap!! */
int retval;
struct __user_cap_header_struct cap_head;
struct __user_cap_data_struct cap_data;
__u32 cap_mask = 0;
if (!caps)
{
bug("asked to adopt no capabilities");
}
vsf_sysutil_memclr(&cap_head, sizeof(cap_head));
vsf_sysutil_memclr(&cap_data, sizeof(cap_data));
cap_head.version = _LINUX_CAPABILITY_VERSION;
cap_head.pid = 0;
if (caps & kCapabilityCAP_CHOWN)
{
cap_mask |= (1 << CAP_CHOWN);
}
if (caps & kCapabilityCAP_NET_BIND_SERVICE)
{
cap_mask |= (1 << CAP_NET_BIND_SERVICE);
}
cap_data.effective = cap_data.permitted = cap_mask;
cap_data.inheritable = 0;
retval = capset(&cap_head, &cap_data);
if (retval != 0)
{
die("capset");
}
}
#else /* VSF_SYSDEP_HAVE_LIBCAP */
static int
do_checkcap(void)
{
cap_t current_caps = cap_get_proc();
cap_free(current_caps);
if (current_caps != NULL)
{
return 1;
}
return 0;
}
static int am_privileged(void)
{
int am_privileged = 1;
cap_t cap = cap_get_proc();
if (eff_caps_empty(cap))
am_privileged = 0;
cap_free(cap);
return am_privileged;
}
static _Bool
nsm_clear_capabilities(void)
{
cap_t caps;
caps = cap_from_text("cap_net_bind_service=ep");
if (caps == NULL) {
xlog(L_ERROR, "Failed to allocate capability: %m");
return false;
}
if (cap_set_proc(caps) == -1) {
xlog(L_ERROR, "Failed to set capability flags: %m");
(void)cap_free(caps);
return false;
}
(void)cap_free(caps);
return true;
}
/*
* The project is going away so disable its cap.
*/
void
cpucaps_project_remove(kproject_t *kpj)
{
mutex_enter(&caps_lock);
if (PROJECT_IS_CAPPED(kpj))
cap_project_disable(kpj);
if (kpj->kpj_cpucap != NULL) {
cap_free(kpj->kpj_cpucap);
kpj->kpj_cpucap = NULL;
}
mutex_exit(&caps_lock);
}
/* run after child init we are uid User and gid Group */
static void ruid_child_init (apr_pool_t *p, server_rec *s)
{
UNUSED(s);
int ncap;
cap_t cap;
cap_value_t capval[4];
/* detect default supplementary group IDs */
if ((startup_groupsnr = getgroups(RUID_MAXGROUPS, startup_groups)) == -1) {
startup_groupsnr = 0;
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s ERROR getgroups() failed on child init, ignoring supplementary group IDs", MODULE_NAME);
}
/* setup chroot jailbreak */
if (chroot_used == RUID_CHROOT_USED && cap_mode == RUID_CAP_MODE_KEEP) {
if ((root_handle = open("/.", O_RDONLY)) < 0) {
root_handle = UNSET;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR opening root file descriptor failed (%s)", MODULE_NAME, strerror(errno));
} else if (fcntl(root_handle, F_SETFD, FD_CLOEXEC) < 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR unable to set close-on-exec flag on root file descriptor (%s)", MODULE_NAME, strerror(errno));
if (close(root_handle) < 0)
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR closing root file descriptor (%d) failed", MODULE_NAME, root_handle);
root_handle = UNSET;
} else {
/* register cleanup function */
apr_pool_cleanup_register(p, (void*)((long)root_handle), ruid_child_exit, apr_pool_cleanup_null);
}
} else {
root_handle = (chroot_used == RUID_CHROOT_USED ? NONE : UNSET);
}
/* init cap with all zeros */
cap = cap_init();
capval[0] = CAP_SETUID;
capval[1] = CAP_SETGID;
ncap = 2;
if (mode_stat_used == RUID_MODE_STAT_USED) {
capval[ncap++] = CAP_DAC_READ_SEARCH;
}
if (root_handle != UNSET) {
capval[ncap++] = CAP_SYS_CHROOT;
}
cap_set_flag(cap, CAP_PERMITTED, ncap, capval, CAP_SET);
if (cap_set_proc(cap) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed", MODULE_NAME, __func__);
}
cap_free(cap);
/* check if process is dumpable */
coredump = prctl(PR_GET_DUMPABLE);
}
int main()
{
#ifdef HAVE_LIBCAP
cap_t caps, caps2;
int ret;
caps = cap_from_text("cap_setpcap+ep");
caps2 = cap_from_text("cap_setpcap+ep");
ret = cap_set_proc(caps);
ret = cap_compare(caps, caps2);
printf("Caps were %sthe same\n", ret ? "not " : "");
cap_free(caps);
cap_free(caps2);
return ret;
#else
printf("System doesn't support full POSIX capabilities.\n");
return 1;
#endif
}
static int have_capabilities(void) {
#ifdef HAVE_CAP_GET_PROC
cap_t caps = cap_get_proc();
if (caps) {
cap_flag_value_t value_p;
cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE,&value_p);
cap_free(caps);
return (value_p);
}
#endif /*HAVE_CAP_GET_PROC*/
return 0;
}
static PyObject *
pycap_set_proc(PyObject *self, PyObject *args) {
char *cap_str;
cap_t cap;
if (!PyArg_ParseTuple(args, "s", &cap_str)) {
return NULL;
}
if ((cap = cap_from_text(cap_str)) == NULL) {
PyErr_SetFromErrno(PyExc_OSError);
return NULL;
}
if (cap_set_proc(cap)) {
PyErr_SetFromErrno(PyExc_OSError);
cap_free(cap);
return NULL;
}
cap_free(cap);
Py_RETURN_NONE;
}
char *
do_cap_get_file (const char *path)
{
cap_t cap;
char *r, *ret;
CHROOT_IN;
cap = cap_get_file (path);
CHROOT_OUT;
if (cap == NULL) {
reply_with_perror ("%s", path);
return NULL;
}
r = cap_to_text (cap, NULL);
if (r == NULL) {
reply_with_perror ("cap_to_text");
cap_free (cap);
return NULL;
}
cap_free (cap);
/* 'r' is not an ordinary pointer that can be freed with free(3)!
* In the current implementation of libcap, if you try to do that it
* will segfault. We have to duplicate this into an ordinary
* buffer, then call cap_free (r).
*/
ret = strdup (r);
if (ret == NULL) {
reply_with_perror ("strdup");
cap_free (r);
return NULL;
}
cap_free (r);
return ret; /* caller frees */
}
int set_caps_from_text(char *capstr)
{
cap_t caps = cap_from_text(capstr);
int ret;
if (!caps) {
tst_resm(TFAIL, "Bad capability name: %s\n", capstr);
return 1;
}
ret = cap_set_proc(caps);
cap_free(caps);
return ret;
}
static int do_cap_set(cap_value_t *cap_value, int size, int reset)
{
cap_t caps;
if (reset) {
/*
* Start with an empty set and set permitted and effective
*/
caps = cap_init();
if (caps == NULL) {
do_perror("cap_init");
return -1;
}
if (cap_set_flag(caps, CAP_PERMITTED, size, cap_value, CAP_SET) < 0) {
do_perror("cap_set_flag");
goto error;
}
} else {
caps = cap_get_proc();
if (!caps) {
do_perror("cap_get_proc");
return -1;
}
}
if (cap_set_flag(caps, CAP_EFFECTIVE, size, cap_value, CAP_SET) < 0) {
do_perror("cap_set_flag");
goto error;
}
if (cap_set_proc(caps) < 0) {
do_perror("cap_set_proc");
goto error;
}
cap_free(caps);
return 0;
error:
cap_free(caps);
return -1;
}
static int fsmSetFCaps(const char *path, const char *captxt)
{
int rc = 0;
#if WITH_CAP
if (captxt && *captxt != '\0') {
cap_t fcaps = cap_from_text(captxt);
if (fcaps == NULL || cap_set_file(path, fcaps) != 0) {
rc = RPMERR_SETCAP_FAILED;
}
cap_free(fcaps);
}
#endif
return rc;
}
static void
_clrcap (char *s, cap_value_t capflag)
{
cap_t cap;
if (!(cap = cap_get_proc ()))
err_exit ("%s: cap_get_proc", s);
if (cap_set_flag (cap, CAP_EFFECTIVE, 1, &capflag, CAP_CLEAR) < 0)
err_exit ("%s: cap_set_flag", s);
if (cap_set_proc (cap) < 0)
err_exit ("%s: cap_set_proc", s);
if (cap_free (cap) < 0)
err_exit ("%s: cap_free", s);
}
static void
_prtcap (char *s, cap_value_t capflag)
{
cap_t cap;
cap_flag_value_t val;
if (!(cap = cap_get_proc ()))
err_exit ("%s: cap_get_proc", s);
if (cap_get_flag (cap, capflag, CAP_EFFECTIVE, &val) < 0)
err_exit ("%s: cap_get_flag", s);
if (cap_free (cap) < 0)
err_exit ("%s: cap_free", s);
msg ("%s: cap is %s", s, val == CAP_SET ? "set" : "clear");
}
int lxc_caps_up(void)
{
cap_t caps;
cap_value_t cap;
int ret;
/* when we are run as root, we don't want to play
* with the capabilities */
if (!getuid())
return 0;
caps = cap_get_proc();
if (!caps) {
ERROR("failed to cap_get_proc: %m");
return -1;
}
//č®¾ē½®ēØåŗč½å
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
cap_flag_value_t flag;
ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
if (ret) {
if (errno == EINVAL) {
INFO("Last supported cap was %d\n", cap-1);
break;
} else {
ERROR("failed to cap_get_flag: %m");
goto out;
}
}
ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
if (ret) {
ERROR("failed to cap_set_flag: %m");
goto out;
}
}
ret = cap_set_proc(caps);
if (ret) {
ERROR("failed to cap_set_proc: %m");
goto out;
}
out:
cap_free(caps);
return 0;
}
/*
* The function is called for each project in a zone when the zone cap is
* modified. It enables project caps if zone cap is enabled and disables if the
* zone cap is disabled and project doesn't have its own cap.
*
* For each project that does not have cpucap structure allocated it allocates a
* new structure and assigns to kpj->cpu_cap. The allocation is performed
* without holding caps_lock to avoid using KM_SLEEP allocation with caps_lock
* held.
*/
static int
cap_project_zone_modify_walker(kproject_t *kpj, void *arg)
{
cpucap_t *project_cap = NULL;
cpucap_t *zone_cap = (cpucap_t *)arg;
ASSERT(zone_cap != NULL);
if (kpj->kpj_cpucap == NULL) {
/*
* This is the first time any cap was established for this
* project. Allocate a new cpucap structure for it.
*/
project_cap = cap_alloc();
}
mutex_enter(&caps_lock);
/*
* Double-check that kpj_cpucap is still NULL - now with caps_lock held
* and assign the newly allocated cpucap structure to it.
*/
if (kpj->kpj_cpucap == NULL) {
kpj->kpj_cpucap = project_cap;
} else if (project_cap != NULL) {
cap_free(project_cap);
}
project_cap = kpj->kpj_cpucap;
if (CAP_DISABLED(zone_cap)) {
/*
* Remove all projects in this zone without caps
* from the capped_projects list.
*/
if (project_cap->cap_chk_value == MAX_USAGE) {
cap_project_disable(kpj);
}
} else if (CAP_DISABLED(project_cap)) {
/*
* Add the project to capped_projects list.
*/
ASSERT(project_cap->cap_chk_value == 0);
cap_project_enable(kpj, MAX_USAGE);
}
mutex_exit(&caps_lock);
return (0);
}
static int
modifyCap(int capability, int setting)
{
cap_t caps;
cap_value_t capList[1];
/* Retrieve caller's current capabilities */
caps = cap_get_proc();
if (caps == NULL)
return 1;
/* Change setting of 'capability' in the effective set of 'caps'. The
third argument, 1, is the number of items in the array 'capList'. */
capList[0] = capability;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, capList, setting) == -1) {
cap_free(caps);
return 2;
}
/* Push modified capability sets back to kernel, to change
caller's capabilities */
if (cap_set_proc(caps) == -1) {
cap_free(caps);
return 3;
}
/* Free the structure that was allocated by libcap */
if (cap_free(caps) == -1)
return 4;
return 0;
}
void
install_real_capabilities (cap_t new_caps)
{
/* If we have no capabilities there is nothing to do here. */
if (new_caps == NULL)
return;
if (cap_set_proc (new_caps))
{
cap_free (new_caps);
dbg_log (_("Failed to drop capabilities"));
error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
/* NOTREACHED */
}
cap_free (new_caps);
if (prctl (PR_SET_KEEPCAPS, 0) == -1)
{
dbg_log (_("Failed to unset keep-capabilities"));
error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
/* NOTREACHED */
}
}
static void test_set_ambient_caps(void) {
cap_t caps;
uint64_t set = 0;
cap_flag_value_t fv;
caps = cap_get_proc();
assert_se(caps);
assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
assert(fv == CAP_CLEAR);
cap_free(caps);
assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
set = (UINT64_C(1) << CAP_CHOWN);
assert_se(!capability_ambient_set_apply(set, true));
caps = cap_get_proc();
assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
assert(fv == CAP_SET);
cap_free(caps);
assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
}
/* ensure this process has CAP_SYS_CHROOT capability. */
void ensure_capsyschroot(const char *executable) {
cap_t caps = cap_get_proc(); // all current capabilities.
cap_flag_value_t chroot_permitted, chroot_effective;
if (!caps)
perror("cap_get_proc");
/* effective and permitted flags should be set for CAP_SYS_CHROOT. */
cap_get_flag(caps, CAP_SYS_CHROOT, CAP_PERMITTED, &chroot_permitted);
cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE, &chroot_effective);
if (chroot_permitted != CAP_SET || chroot_effective != CAP_SET) {
fprintf(stderr, "Error: chroot: No CAP_SYS_CHROOT capability.\n");
exit(1);
}
cap_free(caps);
}
/*
* The zone is going away, so disable its cap.
*/
void
cpucaps_zone_remove(zone_t *zone)
{
mutex_enter(&caps_lock);
while (ZONE_IS_CAPPED(zone)) {
mutex_exit(&caps_lock);
(void) cpucaps_zone_set(zone, NOCAP);
mutex_enter(&caps_lock);
}
if (zone->zone_cpucap != NULL) {
cap_free(zone->zone_cpucap);
zone->zone_cpucap = NULL;
}
mutex_exit(&caps_lock);
}
void linux_drop_privs(void)
{
cap_t caps = cap_init();
int num = 2;
cap_value_t capList[] = { CAP_NET_ADMIN, CAP_SETUID };
cap_set_flag(caps, CAP_EFFECTIVE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, num, capList, CAP_SET);
if (cap_set_proc(caps))
err(1, "cap_set_flag()");
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
err(1, "prctl()");
cap_free(caps);
if (setuid(666) == -1)
err(1, "setuid()");
caps = cap_init();
num = 1;
cap_set_flag(caps, CAP_EFFECTIVE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, num, capList, CAP_SET);
if (cap_set_proc(caps))
err(1, "cap_set_proc()");
cap_free(caps);
/* XXX this really sucks. The guy can screw with our net =( */
}
static
void dropCapability(cap_value_t capability)
{
cap_t caps;
cap_value_t cap_list[] = { capability };
caps = cap_get_proc();
if (caps == nullptr)
{
Log::error("Error: cap_get_proc() failed.");
std::exit(1);
}
char *capText = cap_to_text(caps, nullptr);
Log::info("Capabilities first: " + std::string(capText));
cap_free(capText);
if (cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1 ||
cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1)
{
Log::error("Error: cap_set_flag() failed.");
std::exit(1);
}
if (cap_set_proc(caps) == -1)
{
Log::error("Error: cap_set_proc() failed.");
std::exit(1);
}
capText = cap_to_text(caps, nullptr);
Log::info("Capabilities now: " + std::string(capText));
cap_free(capText);
cap_free(caps);
}
/*
* Set zone's maximum burst time in seconds. A burst time of 0 means that
* the zone can run over its baseline indefinitely.
*/
int
cpucaps_zone_set_burst_time(zone_t *zone, rctl_qty_t base_val)
{
cpucap_t *cap = NULL;
hrtime_t value;
ASSERT(base_val <= INT_MAX);
/* Treat the default as 0 - no limit */
if (base_val == INT_MAX)
base_val = 0;
if (base_val > INT_MAX)
base_val = INT_MAX;
if (CPUCAPS_OFF() || !ZONE_IS_CAPPED(zone))
return (0);
if (zone->zone_cpucap == NULL)
cap = cap_alloc();
mutex_enter(&caps_lock);
if (cpucaps_busy) {
mutex_exit(&caps_lock);
return (EBUSY);
}
/*
* Double-check whether zone->zone_cpucap is NULL, now with caps_lock
* held. If it is still NULL, assign a newly allocated cpucap to it.
*/
if (zone->zone_cpucap == NULL) {
zone->zone_cpucap = cap;
} else if (cap != NULL) {
cap_free(cap);
}
cap = zone->zone_cpucap;
value = SEC_TO_TICK(base_val);
if (value < 0)
value = 0;
cap->cap_burst_limit = value;
mutex_exit(&caps_lock);
return (0);
}
int main(int argc, char *argv[])
{
#if HAVE_SYS_CAPABILITY_H
#ifdef HAVE_LIBCAP
int ret = 1;
cap_flag_value_t f;
cap_value_t v[1];
cap_t cur;
/* Make sure CAP_SYS_ADMIN is not in pI */
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_INHERITABLE, &f);
if (f == CAP_SET) {
v[0] = CAP_SYS_ADMIN;
ret = cap_set_flag(cur, CAP_INHERITABLE, 1, v, CAP_CLEAR);
if (!ret)
ret = cap_set_proc(cur);
if (ret) {
tst_resm(TBROK,
"Failed to drop cap_sys_admin from pI\n");
tst_exit();
}
} else if (ret) {
tst_brkm(TBROK | TERRNO, NULL, "Failed to add \
CAP_SYS_ADMIN to pI");
}
cap_free(cur);
/* drop the capability from bounding set */
ret = prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN);
if (ret) {
tst_resm(TFAIL,
"Failed to drop CAP_SYS_ADMIN from bounding set.\n");
tst_resm(TINFO, "(ret=%d, errno %d)\n", ret, errno);
tst_exit();
}
/* execute "check_pe 0" */
execl("check_pe", "check_pe", "0", NULL);
tst_resm(TBROK, "Failed to execute check_pe (errno %d)\n", errno);
#else /* libcap */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
#else /* capability_h */
tst_resm(TCONF, "System doesn't have sys/capability.h.");
#endif
tst_exit();
}
/*-------------------------------------------------------------------*/
DLL_EXPORT int drop_privileges(int capa)
{
uid_t uid;
gid_t gid;
cap_t c;
int rc;
int failed;
cap_value_t v;
int have_capt;
/* If *real* userid is root, no need to do all this */
uid=getuid();
if(!uid) return 0;
failed=1;
have_capt=0;
do
{
c=cap_init();
if(!c) break;
have_capt=1;
v=capa;
rc=cap_set_flag(c,CAP_EFFECTIVE,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_flag(c,CAP_INHERITABLE,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_flag(c,CAP_PERMITTED,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_proc(c);
if(rc<0) break;
rc=prctl(PR_SET_KEEPCAPS,1);
if(rc<0) break;
failed=0;
} while(0);
gid=getgid();
setregid(gid,gid);
setreuid(uid,uid);
if(!failed)
{
rc=cap_set_proc(c);
if(rc<0) failed=1;
}
if(have_capt)
cap_free(c);
return failed;
}
int main(int argc, char *argv[])
{
#ifdef HAVE_SYS_CAPABILITY_H
#ifdef HAVE_LIBCAP
int ret = 1;
cap_flag_value_t f;
cap_t cur;
int n;
if (argc != 2) {
tst_resm(TBROK, "Usage: check_pe [0|1]\n");
tst_exit();
}
n = atoi(argv[1]);
if (n != 0 && n != 1) {
tst_resm(TBROK, "Usage: check_pe [0|1]\n");
tst_exit();
}
cur = cap_get_proc();
ret = cap_get_flag(cur, CAP_SYS_ADMIN, CAP_EFFECTIVE, &f);
if (ret) {
tst_resm(TBROK, "cap_get_flag failed (errno %d)\n", errno);
tst_exit();
}
cap_free(cur);
if (n == 1) {
if (f == CAP_SET) {
tst_resm(TPASS, "cap is in pE\n");
tst_exit();
}
tst_resm(TFAIL, "cap is not in pE\n");
tst_exit();
}
if (f == CAP_CLEAR) {
tst_resm(TPASS, "cap is not in pE\n");
tst_exit();
}
tst_resm(TFAIL, "Cap is in pE\n");
#else /* libcap */
tst_resm(TCONF, "System doesn't have POSIX capabilities.");
#endif
#else /* capability_h */
tst_resm(TCONF, "System doesn't have sys/capability.h");
#endif
tst_exit();
}
__forceinline char * stack_allocator::allocate(int size_bytes){
//round size_bytes up to multiple of 4
if(size_bytes==0){
perror("Allocating 0 bytes?\n");fflush(stdout);
abort();
};
int size = (size_bytes+3)>>2;
if(cap_free()<size+overhead){//check if it fits
throw std::bad_alloc();
};
int * P = beg()-size;
block_size(P) = size;
mark_block_used(P);
_beg = P-overhead;
return (char*)P;
};
void drop_capabilities(void)
{
#ifdef CAPABILITIES
cap_t cap = cap_init();
if (cap_set_proc(cap) < 0) {
perror("ping: cap_set_proc");
exit(-1);
}
cap_free(cap);
#else
if (setuid(getuid())) {
perror("ping: setuid");
exit(-1);
}
#endif
}
static PyObject *
strcaps_get_process(PyObject *self, PyObject *args) { // (int) pid or None
int pid = 0;
if (!PyArg_ParseTuple(args, "|i", &pid)) return NULL;
cap_t caps;
if (!pid) caps = cap_get_proc();
else caps = cap_get_pid(pid);
size_t strcaps_len; char *strcaps;
if (caps == NULL) {
if (errno == ENODATA) { strcaps = "\0"; strcaps_len = 0; }
else {
PyErr_SetFromErrno(PyExc_OSError);
return NULL; } }
else strcaps = cap_to_text(caps, &strcaps_len);
cap_free(caps);
return Py_BuildValue("s#", strcaps, strcaps_len); }; // (str) caps
