Capabilities & ELF

There's been a fair amount of talk about putting capabilities information into ELF executables under Linux.  There have been a couple attempts at implementing this, but none of them are really in the spirit of ELF's design.  While this is still an imperfect hack, here's a program to insert capabilities as an ELF note segment, which is a general mechanism for putting arbitrary data into an ELF file.

How it works

This program can take a perfectly innocent executable and graft a CAPS note into it.  Here's how it works:

Before (static executable):
 
Elf header Elf32_Ehdr Pointer to Phdr
Program header Elf32_Phdr PT_PHDR - refers to PHDR itself
PT_LOAD - text
PT_LOAD - data+bss
mapped segments text
data

After:
 
New header info
Exec() uses this when the process is run.  This is mapped just before the original start of the process.
Elf header Elf32_Ehdr Pointer to new Phdr
Program header Elf32_Phdr PT_PHDR
PT_LOAD - text
PT_LOAD - data+bss
PT_NOTE - capabilities
Note data
padding to page size
Original header info
This is unchanged and is mapped in the same place in the process address space.
Elf header Elf32_Ehdr Elf header Elf32_Ehdr
Program header Elf32_Phdr PT_PHDR
PT_LOAD
PT_LOAD

What does all this mean?  Essentially everything in the executable file is shifted up one page, and the new ELF header and capabilities are slotted in.  Everything is the same when the process is run, but the newly inserted headers are mapped just before the start of the original executable.  There's no real reason they need to be mapped at all, other than the way that the kernel's ELF exec loader works.

Where's the code?

Here's the code, as of 24 April 1999.  Be careful though, it bites: In other words, its just a proof of concept.  It's not much of a proof if it doesn't deal with dynamically linked programs, so that's what I'm working on now.

This is a patch for fs/binfmt_elf in 2.2.x kernels.  It parses an executable's NOTES section (if any) and extracts capabilities from it.  It doesn't actually do anything with the info once its been found.

Comments? Mail me.