Recognize default secbits of 0 as "HYBRID" mode.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

5 files changed, 21 insertions, 3 deletions

diff --git a/cap/convenience.go b/cap/convenience.go
index e832981..a31ac09 100644
--- a/cap/convenience.go
+++ b/cap/convenience.go
@@ -75,6 +75,7 @@ const (
 	ModeNoPriv
 	ModePure1EInit
 	ModePure1E
+	ModeHybrid
 )
 
 // GetMode assesses the current process state and summarizes it as
@@ -82,6 +83,9 @@ const (
 // declared ModeUncertain.
 func GetMode() Mode {
 	b := GetSecbits()
+	if b == 0 {
+		return ModeHybrid
+	}
 	if b&securedBasicBits != securedBasicBits {
 		return ModeUncertain
 	}
@@ -141,6 +145,10 @@ func (sc *syscaller) setMode(m Mode) error {
 		return err
 	}
 
+	if m == ModeHybrid {
+		return sc.setSecbits(0)
+	}
+
 	if m == ModeNoPriv || m == ModePure1EInit {
 		w.ClearFlag(Inheritable)
 	} else if m != ModePure1E {
@@ -199,6 +207,8 @@ func (m Mode) String() string {
 		return "PURE1E_INIT"
 	case ModePure1E:
 		return "PURE1E"
+	case ModeHybrid:
+		return "HYBRID"
 	default:
 		return "UNKNOWN"
 	}
diff --git a/go/compare-cap.go b/go/compare-cap.go
index f2a7d6b..5e489e5 100644
--- a/go/compare-cap.go
+++ b/go/compare-cap.go
@@ -158,8 +158,8 @@ func tryProcCaps() {
 		log.Fatalf("wrong of groups: got=%v want=[100 l01]", gs)
 	}
 
-	if mode := cap.GetMode(); mode != cap.ModeUncertain {
-		log.Fatalf("initial mode should be 0 (UNCERTAIN), got: %d (%v)", mode, mode)
+	if mode := cap.GetMode(); mode != cap.ModeHybrid {
+		log.Fatalf("initial mode should be 4 (HYBRID), got: %d (%v)", mode, mode)
 	}
 
 	// To distinguish PURE1E and PURE1E_INIT we need an inheritable capability set.
diff --git a/libcap/cap_proc.c b/libcap/cap_proc.c
index 22a307e..db947f4 100644
--- a/libcap/cap_proc.c
+++ b/libcap/cap_proc.c
@@ -488,7 +488,9 @@ static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
 	    /* for good measure */
 	    _cap_set_no_new_privs(sc);
 	    break;
-
+	case CAP_MODE_HYBRID:
+	    ret = _cap_set_secbits(sc, 0);
+	    break;
 	default:
 	    errno = EINVAL;
 	    ret = -1;
@@ -524,6 +526,9 @@ cap_mode_t cap_get_mode(void)
 {
     unsigned secbits = cap_get_secbits();
 
+    if (secbits == 0) {
+	return CAP_MODE_HYBRID;
+    }
     if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
 	return CAP_MODE_UNCERTAIN;
     }
diff --git a/libcap/cap_text.c b/libcap/cap_text.c
index 8dfe9f8..7566bd8 100644
--- a/libcap/cap_text.c
+++ b/libcap/cap_text.c
@@ -503,6 +503,8 @@ const char *cap_mode_name(cap_mode_t flavor) {
 	return "PURE1E";
     case CAP_MODE_UNCERTAIN:
 	return "UNCERTAIN";
+    case CAP_MODE_HYBRID:
+	return "HYBRID";
     default:
 	return "UNKNOWN";
     }
diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
index 8719f61..cb96d82 100644
--- a/libcap/include/sys/capability.h
+++ b/libcap/include/sys/capability.h
@@ -122,6 +122,7 @@ typedef unsigned cap_mode_t;
 #define CAP_MODE_NOPRIV       ((cap_mode_t) 1)
 #define CAP_MODE_PURE1E_INIT  ((cap_mode_t) 2)
 #define CAP_MODE_PURE1E       ((cap_mode_t) 3)
+#define CAP_MODE_HYBRID       ((cap_mode_t) 4)
 
 /* libcap/cap_alloc.c */
 extern cap_t      cap_dup(cap_t);