Project import
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..fc1d6fa
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,111 @@
+#
+#    Copyright (c) 2010-2011 Nest, Inc.
+#    All rights reserved.
+#
+#    This document is the property of Nest. It is considered
+#    confidential and proprietary information.
+#
+#    This document may not be reproduced or transmitted in any form,
+#    in whole or in part, without the express written permission of
+#    Nest.
+#
+#    Description:
+#      This file is the makefile for the POSIX.1e superuser
+#      capabilities detection library.
+#
+
+BuildConfigSpecialized	:= No
+BuildProductSpecialized	:= No
+
+include pre.mak
+
+PackageName		:= libcap
+
+PackageExtension	:= tar.gz
+PackageSeparator	:= -
+
+PackagePatchArgs	:= -p1
+
+PackageArchive		:= $(PackageName).$(PackageExtension)
+PackageSourceDir	:= $(PackageName)$(PackageSeparator)$(PackageVersion)
+
+PackageBuildMakefile	= $(call GenerateBuildPaths,Makefile)
+
+CleanPaths		+= $(PackageLicenseFile)
+
+LinuxHeaderDir		:= $(call GenerateResultPaths,sw/tps/linux,include)
+
+all: $(PackageDefaultGoal)
+
+# Generate the package license contents.
+
+$(PackageSourceDir)/License: source
+
+$(PackageLicenseFile): $(PackageSourceDir)/License
+	$(copy-result)
+
+# Extract the source from the archive and apply patches, if any.
+
+$(PackageSourceDir): $(PackageArchive) $(PackagePatchPaths)
+	$(expand-and-patch-package)
+
+# Prepare the sources.
+
+.PHONY: source
+source: | $(PackageSourceDir)
+
+# Patch the sources, if necessary.
+
+.PHONY: patch
+patch: source
+
+# Generate the package build makefile.
+
+$(PackageBuildMakefile): | $(PackageSourceDir) $(BuildDirectory)
+	$(call create-links,$(CURDIR)/$(PackageSourceDir),$(BuildDirectory))
+
+# Configure the source for building.
+
+.PHONY: configure
+configure: source $(PackageBuildMakefile)
+
+# Build the source.
+#
+# We have to unset MAKEFLAGS since they confuse the package build otherwise.
+
+.PHONY: build
+build: configure | $(BuildDirectory)
+	$(Verbose)unset MAKEFLAGS && \
+	$(MAKE) $(JOBSFLAG) -C $(BuildDirectory) \
+	BUILD_CC=gcc \
+	CC="$(CC)" AR=$(AR) RANLIB=$(RANLIB) STRIP=$(STRIP) \
+	INSTALL="$(INSTALL) $(INSTALLFLAGS)" \
+	LIBATTR=no \
+	PAM_CAP=no \
+	KERNEL_HEADERS=$(LinuxHeaderDir) \
+	all
+
+# Stage the build to a temporary installation area.
+#
+# We have to unset MAKEFLAGS since they confuse the package build otherwise.
+
+.PHONY: stage
+stage: build | $(ResultDirectory)
+	$(Verbose)unset MAKEFLAGS && \
+	$(MAKE) $(JOBSFLAG) -C $(BuildDirectory) \
+	BUILD_CC=gcc \
+	CC="$(CC)" AR=$(AR) RANLIB=$(RANLIB) STRIP=$(STRIP) \
+	INSTALL="$(INSTALL) $(INSTALLFLAGS)" \
+	LIBATTR=no \
+	PAM_CAP=no \
+	FAKEROOT=$(ResultDirectory) \
+	KERNEL_HEADERS=$(LinuxHeaderDir) \
+	lib=lib \
+	install
+
+clean:
+	$(Verbose)$(RM) $(RMFLAGS) -r $(PackageSourceDir)
+	$(Verbose)$(RM) $(RMFLAGS) -r $(BuildDirectory)
+	$(Verbose)$(RM) $(RMFLAGS) -r $(ResultDirectory)
+
+include post.mak
diff --git a/libcap-2.19/CHANGELOG b/libcap-2.19/CHANGELOG
new file mode 100644
index 0000000..a945be4
--- /dev/null
+++ b/libcap-2.19/CHANGELOG
@@ -0,0 +1,11 @@
+For release notes and other info pointers:
+
+  http://sites.google.com/site/fullycapable/
+
+See GIT repository for detailed source history
+
+  http://git.kernel.org/?p=libs/libcap/libcap.git;a=summary
+
+Or simply download the source:
+
+  git clone git://git.kernel.org/pub/scm/libs/libcap/libcap.git
diff --git a/libcap-2.19/License b/libcap-2.19/License
new file mode 100644
index 0000000..9289476
--- /dev/null
+++ b/libcap-2.19/License
@@ -0,0 +1,41 @@
+Unless otherwise *explicitly* stated, the following text describes the
+licensed conditions under which the contents of this libcap release
+may be used and distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of libcap, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+   notice, and this entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+   copyright notices, this list of conditions, and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+   products derived from this software without their specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions.  (This clause is
+necessary due to a potential conflict between the GNU GPL and the
+restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
diff --git a/libcap-2.19/Make.Rules b/libcap-2.19/Make.Rules
new file mode 100644
index 0000000..5a136af
--- /dev/null
+++ b/libcap-2.19/Make.Rules
@@ -0,0 +1,74 @@
+#
+## Optional prefixes:
+#
+
+# common 'packaging' directoty
+
+FAKEROOT=$(DESTDIR)
+
+# Autoconf-style prefixes are activated when $(prefix) is defined.
+# Otherwise binaries and libraraies are installed in /{lib,sbin}/,
+# header files in /usr/include/ and documentation in /usr/man/man?/.
+
+ifndef lib
+lib=$(shell ldd /usr/bin/ld|fgrep ld-linux|cut -d/ -f2)
+endif
+
+ifdef prefix
+exec_prefix=$(prefix)
+lib_prefix=$(exec_prefix)
+inc_prefix=$(lib_prefix)
+man_prefix=$(prefix)/share
+else
+prefix=/usr
+exec_prefix=
+lib_prefix=$(exec_prefix)
+inc_prefix=$(prefix)
+man_prefix=$(prefix)/share
+endif
+
+# Target directories
+
+MANDIR=$(FAKEROOT)$(man_prefix)/man
+SBINDIR=$(FAKEROOT)$(exec_prefix)/sbin
+INCDIR=$(FAKEROOT)$(inc_prefix)/include
+LIBDIR=$(FAKEROOT)$(lib_prefix)/$(lib)
+
+# common defines for libcap
+LIBTITLE=libcap
+VERSION=2
+MINOR=19
+#
+
+# Compilation specifics
+
+KERNEL_HEADERS := $(topdir)/libcap/include
+IPATH += -I$(topdir)/libcap/include -I$(KERNEL_HEADERS)
+
+CC := gcc
+CFLAGS := -O2
+BUILD_CC := $(CC)
+BUILD_CFLAGS := $(CFLAGS) $(IPATH)
+AR := ar
+RANLIB := ranlib
+DEBUG = -g #-DDEBUG
+WARNINGS=-fPIC -Wall -Wwrite-strings \
+        -Wpointer-arith -Wcast-qual -Wcast-align \
+        -Wstrict-prototypes -Wmissing-prototypes \
+        -Wnested-externs -Winline -Wshadow
+LD=$(CC) -Wl,-x -shared
+LDFLAGS := #-g
+
+SYSTEM_HEADERS = /usr/include
+INCS=$(topdir)/libcap/include/sys/capability.h
+LDFLAGS += -L$(topdir)/libcap
+CFLAGS += -Dlinux $(WARNINGS) $(DEBUG) $(IPATH)
+PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
+INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
+DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
+LIBATTR := yes
+
+# Global cleanup stuff
+
+LOCALCLEAN=rm -f *~ core
+DISTCLEAN=@find . \( -name '*.orig' -o -name '*.rej' \) | xargs rm -f
diff --git a/libcap-2.19/Makefile b/libcap-2.19/Makefile
new file mode 100644
index 0000000..9076724
--- /dev/null
+++ b/libcap-2.19/Makefile
@@ -0,0 +1,30 @@
+#
+# Makefile for libcap
+#
+topdir=$(shell pwd)
+include Make.Rules
+
+#
+# flags
+#
+
+all install clean: %: %-here
+	$(MAKE) -C libcap $@
+ifneq ($(PAM_CAP),no)
+	$(MAKE) -C pam_cap $@
+endif
+	$(MAKE) -C progs $@
+	$(MAKE) -C doc $@
+
+all-here:
+
+install-here:
+
+clean-here:
+	$(LOCALCLEAN)
+
+distclean: clean
+	$(DISTCLEAN)
+
+release: distclean
+	cd .. && ln -s libcap libcap-$(VERSION).$(MINOR) && tar cvfz libcap-$(VERSION).$(MINOR).tar.gz libcap-$(VERSION).$(MINOR)/* && rm libcap-$(VERSION).$(MINOR)
diff --git a/libcap-2.19/README b/libcap-2.19/README
new file mode 100644
index 0000000..b4740f0
--- /dev/null
+++ b/libcap-2.19/README
@@ -0,0 +1,28 @@
+This is a library for getting and setting POSIX.1e (formerly POSIX 6)
+draft 15 capabilities.
+
+This library would not have been possible without the help of 
+
+	Aleph1, Roland Buresund and Andrew Main, Alexander Kjeldaas.
+
+More information on capabilities in the Linux kernel can be found at
+
+	http://sites.google.com/site/fullycapable/
+
+# INSTALLATION
+
+	Linux-Caps % make
+
+		builds the library and the programs
+
+	Linux-Caps % make install
+
+		installs the library libcap.XX.Y in /lib[64]/
+		the binaries in /sbin/
+		the <sys/capability.h> file in /usr/include
+
+* for some example programs look in progs.
+
+Cheers
+
+Andrew G. Morgan <morgan@kernel.org>
diff --git a/libcap-2.19/contrib/Makefile b/libcap-2.19/contrib/Makefile
new file mode 100644
index 0000000..4749630
--- /dev/null
+++ b/libcap-2.19/contrib/Makefile
@@ -0,0 +1,3 @@
+.PHONY: all clean
+all clean:
+	for x in bug* ; do make -C $$x $@ || exit 1 ; done
diff --git a/libcap-2.19/contrib/bug400591/Makefile b/libcap-2.19/contrib/bug400591/Makefile
new file mode 100644
index 0000000..320610c
--- /dev/null
+++ b/libcap-2.19/contrib/bug400591/Makefile
@@ -0,0 +1,9 @@
+all: bug
+
+bug: bug.c ../../libcap Makefile
+	make -C ../../libcap
+	cc -g -I../../libcap/include --static -o $@ $< -L../../libcap -lcap
+	./bug
+
+clean:
+	rm -f bug.o bug
diff --git a/libcap-2.19/contrib/bug400591/bug.c b/libcap-2.19/contrib/bug400591/bug.c
new file mode 100644
index 0000000..2ff2355
--- /dev/null
+++ b/libcap-2.19/contrib/bug400591/bug.c
@@ -0,0 +1,43 @@
+#include <assert.h>
+#include <stdlib.h>
+#include <sys/capability.h>
+
+/*
+ * Original from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400591
+ *
+ * Modified to test more functions.. AGM - 2008/07/06.
+ */
+
+int main (int argc, char *argv[])
+{
+  cap_t caps, caps2;
+  ssize_t size, copy_size;
+  void *buffer;
+  char *text1, *text2;
+
+  assert((caps = cap_get_pid(1)));
+
+  text1 = cap_to_text(caps, NULL);
+  assert(text1);
+
+  size = cap_size (caps);
+  assert (size>0  && size<1024);
+
+  buffer = malloc (size);
+  assert (buffer);
+
+  copy_size = cap_copy_ext (buffer, caps, size);
+  assert (copy_size == size);
+
+  caps2 = cap_copy_int(buffer);
+  assert (caps2);
+  
+  text2 = cap_to_text(caps2, NULL);
+  assert(text2);
+
+  assert(strcmp(text1, text2) == 0);
+
+  assert(cap_compare(caps, caps2) == 0);
+
+  return 0;
+}
diff --git a/libcap-2.19/contrib/pcaps4convenience b/libcap-2.19/contrib/pcaps4convenience
new file mode 100644
index 0000000..c46735d
--- /dev/null
+++ b/libcap-2.19/contrib/pcaps4convenience
@@ -0,0 +1,209 @@
+#!/bin/bash
+# vim:expandtab:tabstop=4
+#
+# author:    chris friedhoff - chris@friedhoff.org
+# version:   pcaps4convenience  2  Tue Mar 11 2008
+#
+#
+# changelog:
+# 1 - initial release pcaps4convenience
+# 2 - changed 'attr -S -r' to 'setcap -r' and removed attr code
+#
+#
+# the user has the necessary POSIX Capabilities in his Inheritance
+# set and the applications are accepting the needed PCaps through
+# their Inheritance set.
+# a user who has not the PCaps in his Inheritance set CAN NOT
+# successfully execute the apps
+# --> SET=ie
+# (if SET=pe than you relax the security level of your machine)
+#
+#
+#
+
+
+##HERE WE ADD APPS
+##################
+
+## these apps uses their POSIX Caps
+###################################
+# see /usr/include/linux/capability.h
+# adjust - if needed and wanted - /etc/security/capability.conf
+#eject=cap_dac_read_search,cap_sys_rawio
+eject=2,17
+#killall=cap_kill
+killall=5
+#modprobe=cap_sys_module
+modprobe=16
+#ntpdate=cap_net_bind_service,cap_sys_time
+ntpdate=10,25
+#qemu=cap_net_admin
+qemu=12
+#route=cap_net_admin
+route=12
+
+
+# this apps were converted/reverted
+###################################
+APPSARRAY=( eject killall modprobe ntpdate qemu route )
+
+
+# we put it into this set
+#########################
+SET=ie
+
+
+##FROM HERE ONLY LOGIC
+######################
+
+#save assumption!?
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
+
+p4c_test(){
+    # are we sane?
+    WICH=`which which 2>/dev/null`
+    if [ $WICH == "" ]; then
+        # thats bad
+        echo "Sorry, I haven't found which"
+        exit
+    fi
+
+    # we needt his apps
+    SETCAP=`which setcap 2>/dev/null`
+    if [ "$SETCAP" == "" ]; then
+        echo "Sorry, I'm missing setcap !"
+        exit
+    fi
+
+    # checking setcap for SET_SETFCAP PCap ?
+    # for now we stick to root
+    if [ "$( id -u )" != "0" ]; then
+        echo "Sorry, you must be root !"
+        exit 1
+    fi
+}
+
+
+
+p4c_app_convert(){
+    # convert a single app
+    # $1 is app name; $2 is POSIX Caps
+    # well symlinks to apps, so we use -a ...
+    APP=`which -a $1 2>/dev/null`
+    if [ "$APP" != "" ]; then
+        FOUND=no
+        for i in $APP; do
+            # ... and are looking for symlinks
+            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+                echo "converting $i"
+                setcap $2=$SET $i
+                FOUND=yes
+            fi
+        done
+        if [ "$FOUND" == "no" ]; then
+            # 'which' found only symlinks
+            echo "1 haven't found $1"
+        fi
+    else
+        # 'which' hasn't anything given back
+        echo "haven't found $1"
+    fi
+}
+
+
+
+p4c_app_revert(){
+    # revert a singel app
+    # $1 is app name
+    APP=`which -a $1 2>/dev/null`
+    if [ "$APP" != "" ]; then
+        FOUND=no
+        for i in $APP; do
+            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+                echo "reverting $i"
+                setcap -r $i 2>/dev/null
+                FOUND=yes
+            fi
+        done
+        if [ "$FOUND" == "no" ]; then
+            echo "1 haven't found $1"
+        fi
+    else
+        echo "haven't found $1"
+    fi
+}
+
+
+
+p4c_convert(){
+    # we go throug the APPSARRAY and call s2p_app_convert to do the job
+    COUNTER=0
+    let UPPER=${#APPSARRAY[*]}-1
+    until [ $COUNTER == $UPPER ]; do
+        p4c_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
+        let COUNTER+=1
+    done
+}
+
+
+
+p4c_revert(){
+    COUNTER=0
+    let UPPER=${#APPSARRAY[*]}-1
+    until [ $COUNTER == $UPPER ]; do
+        p4c_app_revert ${APPSARRAY[$COUNTER]}
+        let COUNTER+=1
+    done
+
+}
+
+
+
+p4c_usage(){
+    echo
+    echo "pcaps4convenience"
+    echo
+    echo "pcaps4convenience stores the needed POSIX Capabilities for binaries to"
+    echo "run successful into their Inheritance and Effective Set."
+    echo "The user who wants to execute this binaries successful has to have the"
+    echo "necessary POSIX Capabilities in his Inheritable Set. This might be done"
+    echo "through the PAM module pam_cap.so."
+    echo "A user who has not the needed PCaps in his Inheritance Set CAN NOT execute"
+    echo "these binaries successful."
+    echo "(well, still per sudo or su -c - but thats not the point here)"
+    echo
+    echo "You need and I will check fot the utilities which and setcap."
+    echo
+    echo "Your Filesystem has to support extended attributes and your kernel must have"
+    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
+    echo
+    echo "Usage:  pcaps4convenience [con(vert)|rev(ert)|help]"
+    echo
+    echo "         con|convert - from setuid0 to POSIX Capabilities"
+    echo "         rev|revert  - from POSIX Capabilities back to setui0"
+    echo "         help        - this help message"
+    echo
+}
+
+
+
+case "$1" in
+    con|convert)
+        p4c_test
+        p4c_convert
+        exit 0
+        ;;
+    rev|revert)
+        p4c_test
+        p4c_revert
+        exit 0
+        ;;
+    help)
+        p4c_usage
+        exit 0
+        ;;
+    *)
+        echo "Try 'pcaps4convenience help' for more information"
+        exit 1
+        ;;
+esac
diff --git a/libcap-2.19/contrib/pcaps4server b/libcap-2.19/contrib/pcaps4server
new file mode 100644
index 0000000..af6f9ca
--- /dev/null
+++ b/libcap-2.19/contrib/pcaps4server
@@ -0,0 +1,369 @@
+#!/bin/sh
+# vim: tabstop=4
+#
+# author:    chris friedhoff - chris@friedhoff.org
+# version:   pcaps4server  5  Tue Mar 11 2008
+#
+#
+# changelog:
+# 1 - initial release pcaps4convenience
+# 1 - 2007.02.15 - initial release
+# 2 - 2007.11.02 - changed to new setfcaps api; each app is now callable; supressed error of id
+# 3 - 2007.12.28 - changed to libcap2 package setcap/getcap
+# 4 - renamed to pcaps4server
+#      removed suid0 and convenience files,
+#      they are now in pcaps4suid0 resp. pcaps4convenience
+# 5 - changed 'attr -S -r' to 'setcap -r' and removed attr code
+#
+#
+###########################################################################
+# change the installation of different server to be able not to run as root
+# and have their own unpriviledged user. The binary has the needed POSIX
+# Capabilities.
+# to ensure that the server is really started as his respective user, we set
+# the suid bit (BUT NOT 0)!
+# paths are hard coded and derive from a slackware system
+# change it to your needs !!
+###########################################################################
+
+
+
+VERBOSE="-v"
+#VERBOSE=""
+APPS=""
+
+message(){
+	printRedMessage "$1"
+}
+
+printRedMessage(){
+	# print message red and turn back to white
+	echo -e "\n\033[00;31m $1 ...\033[00;00m\n"
+}
+
+printGreenMessage(){
+	# print message red and turn back to white
+	echo -e "\033[00;32m $1 ...\033[00;00m\n"
+	sleep 0.5
+}
+
+checkReturnCode(){
+    if [ "$?" != "0" ]; then
+        printRedMessage "!! I'M HAVING A PROBLEM !! THE RETURNCODE IS NOT 0 !! I STOP HERE !!"
+        exit 1
+    else
+        printGreenMessage ":-)"
+		sleep 0.5
+    fi
+}
+
+
+
+p4r_test(){
+	#for now, we work with root
+	if [ "$( id -u )" != "0" ]; then
+		echo "Sorry, you must be root !"
+		exit
+	fi
+}
+
+
+
+
+# apache 1.3
+########
+#APPS="$APPS apache1"
+apache1_convert(){
+	message "converting apache1"
+	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
+		groupadd -g 60 apache
+	fi
+	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
+		useradd -g apache -d / -u 600 apache
+	fi
+	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/apache/httpd.conf
+	chown $VERBOSE -R apache:apache /var/run/apache/
+	chown $VERBOSE -R apache:apache /etc/apache/
+	chown $VERBOSE -R apache:apache /var/log/apache/
+	chown $VERBOSE apache:apache /usr/sbin/httpd
+	chmod $VERBOSE u+s /usr/sbin/httpd
+	setcap cap_net_bind_service=ep /usr/sbin/httpd
+	checkReturnCode
+}
+apache1_revert(){
+	message "reverting apache1"
+	chown $VERBOSE -R root:root /var/run/apache/
+	chown $VERBOSE -R root:root /etc/apache/
+	chown $VERBOSE -R root:root /var/log/apache/
+	chown $VERBOSE root:root /usr/sbin/httpd
+	chmod $VERBOSE u-s /usr/sbin/httpd
+	setcap -r /usr/sbin/httpd
+	checkReturnCode
+	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/apache/httpd.conf
+	userdel apache
+	groupdel apache
+}
+
+
+# apache 2.x
+########
+APPS="$APPS apache2"
+apache2_convert(){
+	message "converting apache2"
+	if [ "$( id -g apache 2>/dev/null )" == "" ]; then
+		groupadd -g 60 apache
+	fi
+	if [ "$( id -u apache 2>/dev/null )" == "" ]; then
+		useradd -g apache -d / -u 600 apache
+	fi
+	sed -i -e "{s|^\(User\).*|\1 apache|; s|^\(Group\) .*|\1 apache|}" /etc/httpd/httpd.conf
+	chown $VERBOSE -R apache:apache /var/run/httpd/
+	chown $VERBOSE -R apache:apache /etc/httpd/
+	chown $VERBOSE -R apache:apache /var/log/httpd/
+	chown $VERBOSE apache:apache /usr/sbin/httpd
+	chmod $VERBOSE u+s /usr/sbin/httpd
+	#setfcaps -c cap_net_bind_service=p -e /usr/sbin/httpd
+	setcap cap_net_bind_service=ep /usr/sbin/httpd
+	checkReturnCode
+}
+apache2_revert(){
+	message "reverting apache2"
+	chown $VERBOSE -R root:root /var/run/httpd/
+	chown $VERBOSE -R root:root /etc/httpd/
+	chown $VERBOSE -R root:root /var/log/httpd/
+	chown $VERBOSE root:root /usr/sbin/httpd
+	chmod $VERBOSE u-s /usr/sbin/httpd
+	setcap -r /usr/sbin/httpd
+	checkReturnCode
+	sed -i -e "{s|^\(User\).*|\1 nobody|; s|^\(Group\).*|\1 nogroup|}" /etc/httpd/httpd.conf
+	userdel apache
+	groupdel apache
+}
+
+
+# samba
+#######
+APPS="$APPS samba"
+samba_convert(){
+	message "converting samba"
+	if [ "$( id -g samba 2>/dev/null )" == "" ]; then
+		groupadd -g 61 samba
+	fi
+	if [ "$( id -u samba 2>/dev/null )" == "" ]; then
+		useradd -g samba -d / -u 610 samba
+	fi
+	chown $VERBOSE -R samba:samba /var/log/samba
+	chown $VERBOSE -R samba:samba /etc/samba
+	chown $VERBOSE -R samba:samba /var/run/samba
+	chown $VERBOSE -R samba:samba /var/cache/samba
+	chown $VERBOSE samba:samba /usr/sbin/smbd /usr/sbin/nmbd
+	chmod $VERBOSE u+s /usr/sbin/smbd /usr/sbin/nmbd
+	setcap cap_net_bind_service,cap_sys_resource,cap_dac_override=ep /usr/sbin/smbd
+	checkReturnCode
+	setcap cap_net_bind_service=ep /usr/sbin/nmbd
+	checkReturnCode
+}
+
+samba_revert(){
+	message "reverting samba"
+	chown $VERBOSE -R root:root /var/log/samba
+	chown $VERBOSE -R root:root /etc/samba
+	chown $VERBOSE -R root:root /var/run/samba
+	chown $VERBOSE -R root:root /var/cache/samba
+	chown $VERBOSE root:root /usr/sbin/smbd /usr/sbin/nmbd
+	chmod $VERBOSE u-s /usr/sbin/smbd /usr/sbin/nmbd
+	setcap -r /usr/sbin/smbd
+	checkReturnCode
+	setcap -r /usr/sbin/nmbd
+	checkReturnCode
+	userdel samba
+	groupdel samba
+}
+
+
+# bind
+######
+APPS="$APPS bind"
+bind_convert(){
+	message "converting bind"
+	if [ "$( id -g bind 2>/dev/null )" == "" ]; then
+		groupadd -g 62 bind
+	fi
+	if [ "$( id -u bind 2>/dev/null )" == "" ]; then
+		useradd -g bind -d / -u 620 bind
+	fi
+	chown $VERBOSE -R bind:bind /var/run/named
+	chown $VERBOSE -R bind:bind /var/named
+	chown $VERBOSE bind:bind /etc/rndc.key
+	chown $VERBOSE bind:bind /usr/sbin/named
+	chmod $VERBOSE u+s /usr/sbin/named
+	setcap cap_net_bind_service=ep /usr/sbin/named
+	checkReturnCode
+}
+bind_revert(){
+	message "reverting bind"
+	chown $VERBOSE -R root:root /var/run/named
+	chown $VERBOSE -R root:root /var/named
+	chown $VERBOSE root:root /etc/rndc.key
+	chown $VERBOSE root:root /usr/sbin/named
+	chmod $VERBOSE u-s /usr/sbin/named
+	setcap -r /usr/sbin/named
+	checkReturnCode
+	userdel bind
+	groupdel bind
+}
+
+
+# dhcpd
+#######
+APPS="$APPS dhcpd"
+dhcpd_convert(){
+	message "converting dhcpd"
+	if [ "$( id -g dhcpd 2>/dev/null )" == "" ]; then
+		groupadd -g 63 dhcpd
+	fi
+	if [ "$( id -u dhcpd 2>/dev/null )" == "" ]; then
+		useradd -g dhcpd -d / -u 630 dhcpd
+	fi
+	chown $VERBOSE dhcpd:dhcpd /var/run/dhcpd
+	chown $VERBOSE dhcpd:dhcpd /etc/dhcpd.conf
+	chown $VERBOSE -R dhcpd:dhcpd /var/state/dhcp/
+	chown $VERBOSE dhcpd:dhcpd /usr/sbin/dhcpd
+	chmod $VERBOSE u+s /usr/sbin/dhcpd
+	setcap cap_net_bind_service,cap_net_raw=ep /usr/sbin/dhcpd
+	checkReturnCode
+}
+dhcpd_revert(){
+	message "reverting dhcpd"
+	chown $VERBOSE root:root /var/run/dhcpd
+	chown $VERBOSE root:root /etc/dhcpd.conf
+	chown $VERBOSE -R root:root /var/state/dhcp/
+	chown $VERBOSE root:root /usr/sbin/dhcpd
+	chmod $VERBOSE u-s /usr/sbin/dhcpd
+	setcap -r /usr/sbin/dhcpd
+	checkReturnCode
+	userdel dhcpd
+	groupdel dhcpd
+}
+
+
+# cupsd
+#######
+APPS="$APPS cupsd"
+cupsd_convert(){
+	message "converting cupsd"
+	if [ "$( id -g cupsd 2>/dev/null )" == "" ]; then
+		groupadd -g 64 cupsd
+	fi
+	if [ "$( id -u cupsd 2>/dev/null )" == "" ]; then
+		useradd -g cupsd -d / -u 640 cupsd
+	fi
+	sed -i -e "{s|^\(User\).*|\1 cupsd|; s|^\(Group\) .*|\1 cupsd|}" /etc/cups/cupsd.conf
+	chown $VERBOSE -R cupsd:cupsd /etc/cups
+	chown $VERBOSE -R cupsd:cupsd /var/cache/cups
+	chown $VERBOSE -R cupsd:cupsd /var/log/cups
+	chown $VERBOSE -R cupsd:cupsd /var/spool/cups
+	chown $VERBOSE -R cupsd:cupsd /var/run/cups
+	chown $VERBOSE cupsd:cupsd /usr/sbin/cupsd
+	chmod $VERBOSE u+s /usr/sbin/cupsd
+	setcap cap_net_bind_service,cap_dac_read_search=ep /usr/sbin/cupsd
+	checkReturnCode
+}
+cupsd_revert(){
+	message "reverting cupsd"
+	chown $VERBOSE -R root:root /etc/cups
+	chown $VERBOSE -R root:lp /var/cache/cups
+	chown $VERBOSE -R root:root /var/log/cups
+	chown $VERBOSE -R root:root /var/spool/cups
+	chown $VERBOSE root:lp /var/run/cups
+	chown $VERBOSE lp:sys /var/run/cups/certs
+	chmod $VERBOSE 750 /var/run/cups/certs
+	chown $VERBOSE root:root /usr/sbin/cupsd
+	chmod $VERBOSE u-s /usr/sbin/cupsd
+	setcap -r /usr/sbin/cupsd
+	checkReturnCode
+	sed -i -e "{s|^\(User\).*|\1 lp|; s|^\(Group\) .*|\1 sys|}" /etc/cups/cupsd.conf
+	userdel cupsd
+	groupdel cupsd
+}
+
+
+usage_message(){
+	echo "Try 'pcaps4server help' for more information"
+}
+
+
+p4r_usage(){
+    echo
+    echo "pcaps4server"
+    echo
+    echo "pcaps4server stores the needed POSIX Capabilities for server binaries to"
+    echo "run successful into their Permitted and Effective Set."
+    echo "The server are now able to run as an unpriviledged user."
+	echo "For each server software an unpriviledged user is added the system."
+    echo "The ownership of all the respective paths are	changed to this user."
+	echo "To ensure that the server is starting as this unpriviledgesd user, the"
+    echo "suid bit (NOT 0) is set."
+	echo "Effectively this means every user can start this server daemons (for now)."
+	echo "All paths are hard coded!"
+	echo "You have been warned. Enjoy!"
+    echo
+    echo "Your Filesystem has to support extended attributes and your kernel must have"
+    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
+    echo
+    echo "Usage:  pcaps4server [PROG] [con(vert)|rev(ert)|help]"
+    echo
+    echo "         con|convert - from setuid0 to POSIX Capabilities"
+    echo "         rev|revert  - from POSIX Capabilities back to setui0"
+    echo "         help        - this help message"
+	echo
+	echo "  PROG: $APPS"
+    echo
+}
+
+
+
+
+case "$1" in
+	con|convert)
+		p4r_test
+		for j in $APPS; do
+			${j}_convert
+		done
+		exit
+		;;
+	rev|renvert)
+		p4r_test
+		for j in $APPS; do
+			${j}_revert
+		done
+		exit
+		;;
+	help)
+		p4r_usage
+		exit
+		;;
+esac
+
+for i in ${APPS}; do
+	if [ "$1" == "$i" ]; then
+		case "$2" in
+			con|convert)
+				p4r_test
+				${i}_convert
+				exit
+				;;
+			rev|revert)
+				p4r_test
+				${i}_revert
+				exit
+				;;
+			*)
+				usage_message
+				exit 1
+				;;
+			esac
+	fi
+done
+
+usage_message
diff --git a/libcap-2.19/contrib/pcaps4suid0 b/libcap-2.19/contrib/pcaps4suid0
new file mode 100644
index 0000000..799df28
--- /dev/null
+++ b/libcap-2.19/contrib/pcaps4suid0
@@ -0,0 +1,227 @@
+#!/bin/bash
+# vim:expandtab:tabstop=4
+#
+# author:    chris friedhoff - chris@friedhoff.org
+# version:   pcaps4suid0  3  Tue Mar 11 2008
+#
+#
+# changelog:
+# 1 - initial release suid02pcaps
+# 2 - renamend to pcaps4suid0
+#      implement idea of change between permitted/effective set
+#      or iherited/effective set (pam_cap.so)
+# 3 - changed 'attr -S -r' to 'setcap -r' and removed attr code
+#
+#
+#
+# change different suid-0 binaries away from suid-0 to using
+# POSIX Capabilities through their Permitted and Effective Set
+# --> legacy support
+# --> use SET=pe
+#
+# 
+# OR change different suid-0 binaries away from suid-0 to using
+# POSIX Capabilities through their Inherited and Effective Set
+# --> PAM support to set Inheritance set through pam_cap.so
+# --> use SET=ie
+#
+# 
+#
+#
+###############################################################
+# for example use this find call:
+# find {,/usr}{/bin,/sbin} -perm -4000 -uid 0 -exec ls -l {} \;
+###############################################################
+
+
+
+##HERE WE ADD APPS
+##################
+
+## these apps uses their POSIX Caps
+###################################
+# see /usr/include/linux/capability.h
+#ping=cap_net_raw
+ping=13
+#traceroute=cap_net_raw
+traceroute=13
+chsh=0,2,4,7
+chfn=0,2,4,7
+Xorg=1,6,7,17,21,26
+chage=2
+#passwd=0,2,4,7
+#passwd 0,1
+passwd=0,1,3 #PAM
+unix_chkpwd=1
+mount=1,21
+umount=1,21
+
+# this apps were converted/reverted
+###################################
+APPSARRAY=( ping traceroute chsh chfn Xorg chage passwd unix_chkpwd mount umount )
+
+
+# we put it into this set
+#########################
+#SET=pe
+SET=ie
+
+
+##FROM HERE ONLY LOGIC
+######################
+
+#save assumption!?
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin/:usr/local/sbin:/usr/local/bin
+
+p4s_test(){
+    # are we sane?
+    WICH=`which which 2>/dev/null`
+    if [ $WICH == "" ]; then
+        # thats bad
+        echo "Sorry, I haven't found which"
+        exit
+    fi
+
+    # we needt his apps
+    CHMOD=`which chmod 2>/dev/null`
+    SETCAP=`which setcap 2>/dev/null`
+    if [ "$CHMOD" == "" -o "$SETCAP" == "" ]; then
+        echo "Sorry, I'm missing chmod or setcap !"
+        exit
+    fi
+
+    # checking setcap for SET_SETFCAP PCap ?
+    # for now we stick to root
+    if [ "$( id -u )" != "0" ]; then
+        echo "Sorry, you must be root !"
+        exit 1
+    fi
+}
+
+
+
+p4s_app_convert(){
+    # convert a single app
+    # $1 is app name; $2 is POSIX Caps
+    # well symlinks to apps, so we use -a ...
+    APP=`which -a $1 2>/dev/null`
+    if [ "$APP" != "" ]; then
+        FOUND=no
+        for i in $APP; do
+            # ... and are looking for symlinks
+            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+                echo "converting $i"
+                chmod u-s $i
+                setcap $2=$SET $i
+                FOUND=yes
+            fi
+        done
+        if [ "$FOUND" == "no" ]; then
+            # 'which' found only symlinks
+            echo "1 haven't found $1"
+        fi
+    else
+        # 'which' hasn't anything given back
+        echo "haven't found $1"
+    fi
+}
+
+
+
+p4s_app_revert(){
+    # revert a singel app
+    # $1 is app name
+    APP=`which -a $1 2>/dev/null`
+    if [ "$APP" != "" ]; then
+        FOUND=no
+        for i in $APP; do
+            if [ -f "$i" -a ! -L $i -a "$FOUND"=="no" ]; then
+                echo "reverting $i"
+                chmod u+s $i
+                setcap -r $i 2>/dev/null
+                FOUND=yes
+            fi
+        done
+        if [ "$FOUND" == "no" ]; then
+            echo "1 haven't found $1"
+        fi
+    else
+        echo "haven't found $1"
+    fi
+}
+
+
+
+p4s_convert(){
+    # we go throug the APPSARRAY and call s2p_app_convert to do the job
+    COUNTER=0
+    let UPPER=${#APPSARRAY[*]}-1
+    until [ $COUNTER == $UPPER ]; do
+        p4s_app_convert ${APPSARRAY[$COUNTER]} ${!APPSARRAY[$COUNTER]}
+        let COUNTER+=1
+    done
+}
+
+
+
+p4s_revert(){
+    COUNTER=0
+    let UPPER=${#APPSARRAY[*]}-1
+    until [ $COUNTER == $UPPER ]; do
+        p4s_app_revert ${APPSARRAY[$COUNTER]}
+        let COUNTER+=1
+    done
+
+}
+
+
+
+p4s_usage(){
+    echo
+    echo "pcaps4suid0"
+    echo
+    echo "pcaps4suid0 changes the file system entry of binaries from using setuid-0"
+    echo "to using POSIX Capabilities by granting the necessary Privileges"
+    echo "This is done by storing the needed POSIX Capabilities into the extended"
+    echo "attribute capability through setcap."
+    echo "Following the idea of setuid - granting a binary the privilege regardless"
+    echo "of the user, the POSIX Capabilities are stored into the Permitted and"
+    echo "Effective set."
+    echo "If you are using pam_cap.so, you might want to change the set into the"
+    echo "Inherited and Effective set (check for the SET var)."
+    echo
+    echo "You need and I will check fot the utilities which, chmod and setcap."
+    echo
+    echo "Your Filesystem has to support extended attributes and your kernel must have"
+    echo "support for POSIX File Capabilities (CONFIG_SECURITY_FILE_CAPABILITIES)."
+    echo
+    echo "Usage:  pcaps4suid0 [con(vert)|rev(ert)|help]"
+    echo
+    echo "         con|convert - from setuid0 to POSIX Capabilities"
+    echo "         rev|revert  - from POSIX Capabilities back to setui0"
+    echo "         help        - this help message"
+    echo
+}
+
+
+
+case "$1" in
+    con|convert)
+        p4s_test
+        p4s_convert
+        exit 0
+        ;;
+    rev|revert)
+        p4s_test
+        p4s_revert
+        exit 0
+        ;;
+    help)
+        p4s_usage
+        exit 0
+        ;;
+    *)
+        echo "Try 'pcaps4suid0 help' for more information"
+        exit 1
+        ;;
+esac
diff --git a/libcap-2.19/doc/Makefile b/libcap-2.19/doc/Makefile
new file mode 100644
index 0000000..5fe2189
--- /dev/null
+++ b/libcap-2.19/doc/Makefile
@@ -0,0 +1,49 @@
+#
+# Makefile for libcap documentation
+#
+
+topdir=$(shell pwd)/..
+include $(topdir)/Make.Rules
+
+MAN1S = capsh.1
+MAN3S = cap_init.3 cap_free.3 cap_dup.3 \
+	cap_clear.3 cap_clear_flag.3 cap_get_flag.3 cap_set_flag.3 \
+	cap_compare.3 cap_get_proc.3 cap_get_pid.3 cap_set_proc.3 \
+	cap_get_file.3 cap_get_fd.3 cap_set_file.3 cap_set_fd.3 \
+	cap_copy_ext.3 cap_size.3 cap_copy_int.3 \
+	cap_from_text.3 cap_to_text.3 cap_from_name.3 cap_to_name.3 \
+	capsetp.3 capgetp.3 libcap.3
+MAN8S = getcap.8 setcap.8
+
+MANS = $(MAN1S) $(MAN3S) $(MAN8S)
+
+all: $(MANS)
+
+.PHONY: html
+html:
+	mkdir -p html
+	for man in $(MANS) ; \
+	do \
+		egrep '^\.so man' $$man > /dev/null || \
+		groff -man -Thtml $$man > html/$$man.html ; \
+	done
+
+install:
+	mkdir -p -m 755 $(MANDIR)/man1 $(MANDIR)/man3 $(MANDIR)/man8
+	for man in \
+		$(MANDIR)/man1 $(MAN1S) \
+		$(MANDIR)/man3 $(MAN3S) \
+		$(MANDIR)/man8 $(MAN8S) \
+		; \
+	do \
+		case $$man in \
+		/*)	sub=$$man ; continue ;; \
+		esac; \
+		install -m 644 $$man $$sub ; \
+	done
+
+clean:
+	$(LOCALCLEAN)
+	rm -rf html
+
+
diff --git a/libcap-2.19/doc/cap_clear.3 b/libcap-2.19/doc/cap_clear.3
new file mode 100644
index 0000000..48f5cc0
--- /dev/null
+++ b/libcap-2.19/doc/cap_clear.3
@@ -0,0 +1,133 @@
+.TH CAP_CLEAR 3 "2008-05-11" "" "Linux Programmer's Manual"
+.SH NAME
+cap_clear, cap_clear_flag, cap_get_flag, cap_set_flag, cap_compare \- capability data object manipulation
+.SH SYNOPSIS
+.nf
+.B #include <sys/capability.h>
+.sp
+.BI "int cap_clear(cap_t " cap_p );
+.sp
+.BI "int cap_clear_flag(cap_t " cap_p ", cap_flag_t " flag ");"
+.sp
+.BI "int cap_get_flag(cap_t " cap_p ", cap_value_t " cap ,
+.BI "                 cap_flag_t " flag ", cap_flag_value_t *" value_p ");"
+.sp
+.BI "int cap_set_flag(cap_t " cap_p ", cap_flag_t " flag ", int " ncap ,
+.BI "                 const cap_value_t *" caps \
+", cap_flag_value_t " value ");"
+.sp
+.BI "int cap_compare(cap_t " cap_a ", cap_t " cap_b ");"
+.sp
+Link with \fI-lcap\fP.
+.fi
+.SH DESCRIPTION
+These functions work on a capability state held in working storage.
+A
+.I cap_t
+holds information about the capabilities in each of the three sets,
+Permitted, Inheritable, and Effective.
+Each capability in a set may be clear (disabled, 0) or set (enabled, 1).
+.PP
+These functions work with the following data types:
+.TP 18
+.I cap_value_t
+identifies a capability, such as
+.BR CAP_CHOWN .
+.TP
+.I cap_flag_t
+identifies one of the three flags associated with a capability
+(i.e., it identifies one of the three capability sets).
+Valid values for this type are
+.BR CAP_EFFECTIVE ,
+.B CAP_INHERITABLE
+or
+.BR CAP_PERMITTED .
+.TP
+.I cap_flag_value_t
+identifies the setting of a particular capability flag
+(i.e, the value of a capability in a set).
+Valid values for this type are
+.B CAP_CLEAR
+(0) or
+.B CAP_SET
+(1).
+.PP
+.BR cap_clear ()
+initializes the capability state in working storage identified by
+.I cap_p
+so that all capability flags are cleared.
+.PP
+.BR cap_clear_flag ()
+clears all of the capabilities of the specified capability flag,
+.IR flag .
+.PP
+.BR cap_get_flag ()
+obtains the current value of the capability flag,
+.IR flag ,
+of the capability,
+.IR cap ,
+from the capability state identified by
+.I cap_p
+and places it in the location pointed to by
+.IR value_p .
+.PP
+.BR cap_set_flag ()
+sets the flag,
+.IR flag ,
+of each capability in the array
+.I caps
+in the capability state identified by
+.I cap_p
+to
+.IR value .
+The argument,
+.IR ncap ,
+is used to specify the number of capabilities in the array,
+.IR caps .
+.PP
+.BR cap_compare ()
+compares two full capability sets and, in the spirit of
+.BR memcmp (),
+returns zero if the two capability sets are identical. A positive
+return value,
+.BR status ,
+indicates there is a difference between them. The
+returned value carries further information about which of three sets,
+.I cap_flag_t
+.BR flag ,
+differ. Specifically, the macro
+.B CAP_DIFFERS
+.RI ( status ", " flag )
+evaluates to non-zero if the returned status differs in its
+.I flag
+components.
+.SH "RETURN VALUE"
+.BR cap_clear (),
+.BR cap_clear_flag (),
+.BR cap_get_flag ()
+.BR cap_set_flag ()
+and
+.BR cap_compare ()
+return zero on success, and \-1 on failure. Other return values for
+.BR cap_compare ()
+are described above.
+.PP
+On failure,
+.I errno
+is set to 
+.BR EINVAL ,
+indicating that one of the arguments is invalid.
+.SH "CONFORMING TO"
+These functions are as per the withdrawn POSIX.1e draft specification.
+.BR cap_clear_flag ()
+and
+.BR cap_compare ()
+are Linux extensions.
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_copy_ext (3),
+.BR cap_from_text (3),
+.BR cap_get_file (3),
+.BR cap_get_proc (3),
+.BR cap_init (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_clear_flag.3 b/libcap-2.19/doc/cap_clear_flag.3
new file mode 100644
index 0000000..db506c6
--- /dev/null
+++ b/libcap-2.19/doc/cap_clear_flag.3
@@ -0,0 +1 @@
+.so man3/cap_clear.3
diff --git a/libcap-2.19/doc/cap_compare.3 b/libcap-2.19/doc/cap_compare.3
new file mode 100644
index 0000000..db506c6
--- /dev/null
+++ b/libcap-2.19/doc/cap_compare.3
@@ -0,0 +1 @@
+.so man3/cap_clear.3
diff --git a/libcap-2.19/doc/cap_copy_ext.3 b/libcap-2.19/doc/cap_copy_ext.3
new file mode 100644
index 0000000..61d9381
--- /dev/null
+++ b/libcap-2.19/doc/cap_copy_ext.3
@@ -0,0 +1,104 @@
+.TH CAP_COPY_EXT 3 "2008-05-11" "" "Linux Programmer's Manual"
+.SH NAME
+cap_copy_ext, cap_size, cap_copy_int \- capability state
+external representation translation
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.BI "ssize_t cap_size(cap_t " cap_p );
+.sp
+.BI "ssize_t cap_copy_ext(void *" ext_p ", cap_t " cap_p ", ssize_t " size );
+.sp
+.BI "cap_t cap_copy_int(const void *" ext_p );
+.sp
+Link with \fI-lcap\fP.
+.SH DESCRIPTION
+These functions translate between internal and external
+representations of a capability state.  The external representation is
+an exportable, contiguous, persistent representation of a capability
+state in user-managed space.  The internal representation is managed
+by the capability functions in working storage.
+.PP
+.BR cap_size ()
+returns the total length (in bytes) that the capability state in working
+storage identified by
+.I cap_p
+would require when converted by
+.BR cap_copy_ext ().
+This function is used primarily to determine the amount of buffer space that
+must be provided to the
+.BR cap_copy_ext ()
+function in order to hold the capability data record created from
+.IR cap_p .
+.PP
+.BR cap_copy_ext ()
+copies a capability state in working storage, identified by
+.IR cap_p ,
+from system managed space to user-managed space (pointed to by
+.IR ext_p )
+and returns the length of the resulting data record.  The size parameter
+represents the maximum size, in bytes, of the resulting data record.  The
+.BR cap_copy_ext ()
+function will do any conversions necessary to convert the capability
+state from the undefined internal format to an exportable, contiguous,
+persistent data record.  It is the responsibility of the user to
+allocate a buffer large enough to hold the copied data.  The buffer
+length required to hold the copied data may be obtained by a call to
+the
+.BR cap_size ()
+function.
+.PP
+.BR cap_copy_int ()
+copies a capability state from a capability data record in user-managed
+space to a new capability state in working storage, allocating any
+memory necessary, and returning a pointer to the newly created capability
+state.  The function initializes the capability state and then copies
+the capability state from the record pointed to by
+.I ext_p
+into the capability state, converting, if necessary, the data from a
+contiguous, persistent format to an undefined, internal format.  Once
+copied into internal format, the object can be manipulated by the capability
+state manipulation functions (see
+.BR cap_clear (3)).
+Note that the record pointed to by
+.I ext_p
+must have been obtained from a previous, successful call to
+.BR cap_copy_ext ()
+for this function to work successfully.  The caller should free any
+releasable memory, when the capability state in working storage is no
+longer required, by calling
+.BR cap_free ()
+with the
+.I cap_t
+as an argument.
+.SH "RETURN VALUE"
+.BR cap_size ()
+returns the length required to hold a capability data record on success,
+and -1 on failure.
+.PP
+.BR cap_copy_ext ()
+returns the number of bytes placed in the user managed space pointed to by
+.I ext_p 
+on success, and -1 on failure.
+.PP
+.BR cap_copy_int ()
+returns a pointer to the newly created capability state in working storage
+on success, and NULL on failure.
+.PP
+On failure,
+.BR errno
+is set to
+.BR EINVAL ,
+.BR ENOMEM ,
+or
+.BR ERANGE .
+.SH "CONFORMING TO"
+These functions are specified in the withdrawn POSIX.1e draft specification.
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_clear (3),
+.BR cap_from_text (3),
+.BR cap_get_file (3),
+.BR cap_get_proc (3),
+.BR cap_init (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_copy_int.3 b/libcap-2.19/doc/cap_copy_int.3
new file mode 100644
index 0000000..2e6e89c
--- /dev/null
+++ b/libcap-2.19/doc/cap_copy_int.3
@@ -0,0 +1 @@
+.so man3/cap_copy_ext.3
diff --git a/libcap-2.19/doc/cap_dup.3 b/libcap-2.19/doc/cap_dup.3
new file mode 100644
index 0000000..7810cff
--- /dev/null
+++ b/libcap-2.19/doc/cap_dup.3
@@ -0,0 +1 @@
+.so man3/cap_init.3
diff --git a/libcap-2.19/doc/cap_free.3 b/libcap-2.19/doc/cap_free.3
new file mode 100644
index 0000000..7810cff
--- /dev/null
+++ b/libcap-2.19/doc/cap_free.3
@@ -0,0 +1 @@
+.so man3/cap_init.3
diff --git a/libcap-2.19/doc/cap_from_name.3 b/libcap-2.19/doc/cap_from_name.3
new file mode 100644
index 0000000..83ec8b5
--- /dev/null
+++ b/libcap-2.19/doc/cap_from_name.3
@@ -0,0 +1 @@
+.so man3/cap_from_text.3
diff --git a/libcap-2.19/doc/cap_from_text.3 b/libcap-2.19/doc/cap_from_text.3
new file mode 100644
index 0000000..1128df8
--- /dev/null
+++ b/libcap-2.19/doc/cap_from_text.3
@@ -0,0 +1,233 @@
+.\"
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH CAP_FROM_TEXT 3 "2008-05-10" "" "Linux Programmer's Manual"
+.SH NAME
+cap_from_text, cap_to_text, cap_to_name, cap_from_name \- capability
+state textual representation translation
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.BI "cap_t cap_from_text(const char *" buf_p );
+.sp
+.BI "char *cap_to_text(cap_t " caps ", ssize_t *" length_p );
+.sp
+.BI "int cap_from_name(const char *" name ", cap_value_t *" cap_p );
+.sp
+.BI "char *cap_to_name(cap_value_t " cap );
+.sp
+Link with \fI-lcap\fP.
+.SH DESCRIPTION
+These functions translate a capability state between
+an internal representation and a textual one.
+The internal representation is managed by the capability
+functions in working storage. The textual representation is a structured,
+human-readable string suitable for display.
+.PP
+.BR cap_from_text ()
+allocates and initializes a capability state in working storage. It
+then sets the contents of this newly created capability state to the
+state represented by a human-readable, nul-terminated character
+string pointed to by
+.IR buf_p .
+It returns a pointer to the newly created capability state.
+When the capability state in working storage is no longer required,
+the caller should free any releasable memory
+by calling
+.BR cap_free ()
+with
+.I cap_t
+as an argument.  The function returns an error if it cannot parse the
+contents of the string pointed to by
+.I buf_p
+or does not recognize any
+.I capability_name
+or flag character as valid.  The function also returns an error if any flag
+is both set and cleared within a single clause.
+.PP
+.BR cap_to_text ()
+converts the capability state in working storage identified by
+.I cap_p
+into a nul-terminated human-readable string.  This function allocates
+any memory necessary to contain the string, and returns a pointer to
+the string.  If the pointer
+.I len_p
+is not NULL,
+the function shall also return the full length of the string (not including
+the nul terminator) in the location pointed to by
+.IR len_p .
+The capability state in working storage, identified by
+.IR cap_p ,
+is completely represented in the character string.
+When the capability state in working storage is no longer required,
+the caller should free any releasable memory by calling
+.BR cap_free ()
+with the returned string pointer as an argument.
+.PP
+.BR cap_from_name ()
+converts a text representation of a capability, such as "cap_chown",
+to its numerical representation
+.RB ( CAP_CHOWN=0 ),
+writing the decoded value into
+.IR *cap_p .
+If
+.I cap_p
+is NULL
+no result is written, but the return code of the function indicates
+whether or not the specified capability can be represented by the
+library.
+.PP
+.BR cap_to_name ()
+converts a capability index value,
+.IR cap ,
+to a libcap-allocated textual string. This string should be
+deallocated with
+.BR cap_free ().
+.SH "TEXTUAL REPRESENTATION"
+A textual representation of capability sets consists of one or more
+whitespace-separated
+.IR clauses .
+Each clause specifies some operations on a capability set; the set
+starts out with all capabilities lowered, and the meaning of the
+string is the state of the capability set after all the clauses have
+been applied in order.
+.PP
+Each clause consists of a list of comma-separated capability names
+(or the word
+.RB ` all '),
+followed by an
+.IR action-list .
+An action-list consists of a sequence of
+.I operator flag
+pairs.  Legal operators are:
+.RB ` = "', '" + "', and `" - "'."
+Legal flags are:
+.RB ` e "', `" i "', and `" p "'."
+These flags are case-sensitive and specify the Effective, Inheritable
+and Permitted sets respectively.
+.PP
+In the capability name lists, all names are case-insensitive.  The
+special name
+.RB ` all '
+specifies all capabilities; it is equivalent to a list naming every
+capability individually.
+.PP
+Unnamed capabilities can also be specified by number. This feature
+ensures that libcap can support capabilities that were not allocated
+at the time libcap was compiled. However, generally upgrading libcap
+will add names for recently allocated capabilities.
+.PP
+The
+.RB ` = '
+operator indicates that the listed capabilities are first reset in
+all three capability sets.  The subsequent flags (which are optional
+when associated with this operator) indicate that the listed
+capabilities for the corresponding set are to be raised.  For example:
+"all=p" means lower every capability in the Effective and Inheritable
+sets but raise all of the Permitted capabilities;
+or, "cap_fowner=ep" means raise the Effective and Permitted
+override-file-ownership capability, while lowering this Inheritable
+capability.
+.PP
+In the case that the leading operator is
+.RB ` = ',
+and no list of capabilities is provided, the action-list is assumed to
+refer to `all' capabilities.  For example, the following three
+clauses are equivalent to each other (and indicate a completely empty
+capability set): "all="; "="; "cap_chown,<every-other-capability>=".
+.PP
+The operators, `+' and `-' both require an explicit preceding
+capability list and one or more explicit trailing flags.  The `+'
+operator will raise all of the listed capabilities in the flagged
+capability sets.  The `-' operator will lower all of the listed
+capabilities in the flagged capability sets.  For example:
+"all+p" will raise all of the Permitted capabilities; "cap_fowner+p-i"
+will raise the override-file-ownership capability in the Permitted
+capability set and lower this Inheritable capability;
+"cap_fowner+pe-i" and "cap_fowner=+pe" are equivalent.
+.SH "RETURN VALUE"
+.BR cap_from_text (),
+.BR cap_to_text ()
+and
+.BR cap_to_text ()
+return a non-NULL value on success, and NULL on failure.
+.BR cap_from_text ()
+returns 0 for success, and -1 on failure (unknown capability).
+.PP
+On failure,
+.I errno
+is set to 
+.BR EINVAL ,
+or 
+.BR ENOMEM .
+.SH "CONFORMING TO"
+.BR cap_from_text ()
+and
+.BR cap_to_text ()
+are specified by the withdrawn POSIX.1e draft specification.
+.BR cap_from_name ()
+and
+.BR cap_to_name ()
+are Linux extensions.
+.SH EXAMPLE
+The example program below demonstrates the use of
+.BR cap_from_text ()
+and
+.BR cap_to_text ().
+The following shell session shows a some example runs:
+.in +4n
+.nf
+
+$ ./a.out "cap_chown=p cap_chown+e"
+caps_to_text() returned "= cap_chown+ep"
+$ ./a.out "all=pe cap_chown-e cap_kill-pe"
+caps_to_text() returned "=ep cap_chown-e cap_kill-ep"
+
+.fi
+.in
+The source code of the program is as follows:
+.nf
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/capability.h>
+
+#define handle_error(msg) \\
+    do { perror(msg); exit(EXIT_FAILURE); } while (0)
+
+int
+main(int argc, char *argv[])
+{
+    cap_t caps;
+    char *txt_caps;
+
+    if (argc != 2) {
+        fprintf(stderr, "%s <textual\-cap\-set>\\n", argv[0]);
+        exit(EXIT_FAILURE);
+    }
+
+    caps = cap_from_text(argv[1]);
+    if (caps == NULL)
+        handle_error("cap_from_text");
+
+    txt_caps = cap_to_text(caps, NULL);
+    if (txt_caps == NULL)
+        handle_error("cap_to_text");
+
+    printf("caps_to_text() returned \\"%s\\"\\n", txt_caps);
+
+    if (cap_free(txt_caps) != 0 || cap_free(caps) != 0)
+        handle_error("cap_free");
+
+    exit(EXIT_SUCCESS);
+}
+.fi
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_clear (3),
+.BR cap_compare (3),
+.BR cap_copy_ext (3),
+.BR cap_get_file (3),
+.BR cap_get_proc (3),
+.BR cap_init (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_get_fd.3 b/libcap-2.19/doc/cap_get_fd.3
new file mode 100644
index 0000000..3970c34
--- /dev/null
+++ b/libcap-2.19/doc/cap_get_fd.3
@@ -0,0 +1 @@
+.so man3/cap_get_file.3
diff --git a/libcap-2.19/doc/cap_get_file.3 b/libcap-2.19/doc/cap_get_file.3
new file mode 100644
index 0000000..107b6d1
--- /dev/null
+++ b/libcap-2.19/doc/cap_get_file.3
@@ -0,0 +1,124 @@
+.\"
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH CAP_GET_FILE 3 "2008-05-11" "" "Linux Programmer's Manual"
+.SH NAME
+cap_get_file, cap_set_file, cap_get_fd, cap_set_fd \- capability
+manipulation on files
+.SH SYNOPSIS
+.B
+.sp
+.B #include <sys/capability.h>
+.sp
+.BI "cap_t cap_get_file(const char *" path_p );
+.sp
+.BI "int cap_set_file(const char *" path_p ", cap_t " cap_p );
+.sp
+.BI "cap_t cap_get_fd(int " fd );
+.sp
+.BI "int cap_set_fd(int " fd ", cap_t " caps );
+.sp
+Link with \fI-lcap\fP.
+.SH DESCRIPTION
+.BR cap_get_file ()
+and
+.BR cap_get_fd ()
+allocate a capability state in working storage and set it to represent the
+capability state of the pathname pointed to by
+.I path_p
+or the file open on descriptor
+.IR fd .
+These functions return a pointer to the newly created capability
+state.  The effects of reading the capability state from any file
+other than a regular file is undefined.  The caller should free any
+releasable memory, when the capability state in working storage is no
+longer required, by calling
+.BR cap_free ()
+with the used
+.I cap_t
+as an argument.
+.PP
+.BR cap_set_file ()
+and
+.BR cap_set_fd ()
+set the values for all capability flags for all capabilities for the pathname
+pointed to by
+.I path_p
+or the file open on descriptor
+.IR fd ,
+with the capability state identified by
+.IR cap_p .
+The new capability state of the file is completely determined by the
+contents of
+.IR cap_p .
+A NULL value for
+.IR cap_p
+is used to indicate that capabilities for the file should be deleted.
+For these functions to succeed, the calling process must have the
+effective capability,
+.BR CAP_SETFCAP ,
+enabled and either the effective user ID of the process must match the
+file owner or the calling process must have the
+.B CAP_FOWNER
+flag in its effective capability set.  The effects of writing the
+capability state to any file type other than a regular file are
+undefined.
+.SH "RETURN VALUE"
+.BR cap_get_file ()
+and
+.BR cap_get_fd ()
+return a non-NULL value on success, and NULL on failure.
+.PP
+.BR cap_set_file ()
+and
+.BR cap_set_fd ()
+return zero on success, and \-1 on failure.
+.PP
+On failure,
+.I errno
+is set to
+.BR EACCES ,
+.BR EBADFD ,
+.BR ENAMETOOLONG ,
+.BR ENOENT ,
+.BR ENOMEM ,
+.BR ENOTDIR ,
+.BR EPERM ,
+or
+.BR EROFS .
+.SH "CONFORMING TO"
+These functions are specified by withdrawn POSIX.1e draft specification.
+.SH NOTES
+Support for file capabilities is provided on Linux since version 2.6.24.
+
+On Linux, the file Effective set is a single bit.
+If it is enabled, then all Permitted capabilities are enabled
+in the Effective set of the calling process when the file is executed;
+otherwise, no capabilities are enabled in the process's Effective set
+following an
+.BR execve (2).
+Because the file Effective set is a single bit,
+if any capability is enabled in the Effective set of the
+.I cap_t
+given to
+.BR cap_set_file ()
+or
+.BR cap_set_fd (),
+then all capabilities whose Permitted or Inheritable flag
+is enabled must also have the Effective flag enabled.
+Conversely, if the Effective bit is enabled on a file, then the
+.I cap_t
+returned by
+.BR cap_get_file()
+and
+.BR cap_get_fd()
+will have the Effective flag enabled for each capability that has the
+Permitted or Inheritable flag enabled.
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_clear (3),
+.BR cap_copy_ext (3),
+.BR cap_from_text (3),
+.BR cap_get_proc (3),
+.BR cap_init (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_get_flag.3 b/libcap-2.19/doc/cap_get_flag.3
new file mode 100644
index 0000000..db506c6
--- /dev/null
+++ b/libcap-2.19/doc/cap_get_flag.3
@@ -0,0 +1 @@
+.so man3/cap_clear.3
diff --git a/libcap-2.19/doc/cap_get_pid.3 b/libcap-2.19/doc/cap_get_pid.3
new file mode 100644
index 0000000..65ea3e4
--- /dev/null
+++ b/libcap-2.19/doc/cap_get_pid.3
@@ -0,0 +1 @@
+.so man3/cap_get_proc.3
diff --git a/libcap-2.19/doc/cap_get_proc.3 b/libcap-2.19/doc/cap_get_proc.3
new file mode 100644
index 0000000..18564e5
--- /dev/null
+++ b/libcap-2.19/doc/cap_get_proc.3
@@ -0,0 +1,165 @@
+.\"
+.\" $Id: cap_get_proc.3,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+.\"
+.TH CAP_GET_PROC 3 "2008-05-11" "" "Linux Programmer's Manual"
+.SH NAME
+cap_get_proc, cap_set_proc, capgetp \- capability manipulation on
+processes
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.B "cap_t cap_get_proc(void);"
+.sp
+.BI "int cap_set_proc(cap_t " cap_p );
+.sp
+.B #include <sys/types.h>
+.sp
+.BI "cap_t cap_get_pid(pid_t " pid );
+.sp
+Link with \fI-lcap\fP.
+.SH DESCRIPTION
+.BR cap_get_proc ()
+allocates a capability state in working storage, sets its state to
+that of the calling process, and returns a pointer to this newly
+created capability state.  The caller should free any releasable
+memory, when the capability state in working storage is no longer
+required, by calling
+.BR cap_free ()
+with the
+.I cap_t
+as an argument.
+.PP
+.BR cap_set_proc ()
+sets the values for all capability flags for all capabilities to the
+capability state identified by
+.IR cap_p .
+The new capability state of the process will be completely determined by
+the contents of
+.I cap_p
+upon successful return from this function.  If any flag in
+.I cap_p
+is set for any capability not currently permitted for the calling process,
+the function will fail, and the capability state of the process will remain
+unchanged.
+.PP
+.BR cap_get_pid ()
+returns
+.IR cap_d ,
+see 
+.BR cap_init (3),
+with the process capabilities of the process indicated by
+.IR pid .
+This information can also be obtained from the
+.I /proc/<pid>/status
+file.
+.SH "RETURN VALUE"
+The functions
+.BR cap_get_proc ()
+and
+.BR cap_get_pid ()
+return a non-NULL value on success, and NULL on failure.
+.PP
+The function
+.BR cap_set_proc ()
+return zero for success, and \-1 on failure.
+.PP
+On failure,
+.I errno
+is set to
+.BR EINVAL ,
+.BR EPERM,
+or
+.BR ENOMEM .
+.SH "CONFORMING TO"
+.BR cap_set_proc ()
+and
+.BR cap_get_proc ()
+are specified in the withdrawn POSIX.1e draft specification.
+.BR cap_get_pid ()
+is a Linux extension.
+.SH "NOTES"
+The library also supports the deprecated functions:
+.PP
+.BI "int capgetp(pid_t " pid ", cap_t " cap_d );
+.PP
+.BI "int capsetp(pid_t " pid ", cap_t " cap_d );
+.PP
+.BR capgetp ()
+attempts to obtain the capabilities of some other process; storing the
+capabilities in a pre-allocated
+.IR cap_d . See
+.BR cap_init ()
+for information on allocating an empty capability set. This function,
+.BR capgetp (),
+is deprecated, you should use
+.BR cap_get_pid ().
+.PP
+.BR capsetp ()
+attempts to set the capabilities of some other process(es),
+.IR pid . 
+If
+.I pid
+is positive it refers to a specific process;  if it is zero, it refers
+to the current process; -1 refers to all processes other than the
+current process and process '1' (typically 
+.BR init (8));
+other negative values refer to the
+.I -pid
+process group.  In order to use this function, the kernel must support
+it and the current process must have
+.B CAP_SETPCAP
+raised in its Effective capability set. The capabilities set in the
+target process(es) are those contained in
+.IR cap_d .
+Kernels that support filesystem capabilities redefine the semantics of
+.B CAP_SETPCAP
+and on such systems this function will always fail for any target not
+equal to the current process.
+.BR capsetp ()
+returns zero for success, and \-1 on failure.
+
+Where supported by the kernel, the function
+.BR capsetp ()
+should be used with care.  It existed, primarily, to overcome an early
+lack of support for capabilities in the filesystems supported by
+Linux.  Note that, by default, the only processes that have
+.B CAP_SETPCAP
+available to them are processes started as a kernel thread.
+(Typically this includes
+.BR init (8),
+kflushd and kswapd). You will need to recompile the kernel to modify
+this default.
+.SH EXAMPLE
+The code segment below raises the
+.B CAP_FOWNER
+and
+.B CAP_SETFCAP
+effective capabilities for the caller:
+.nf
+
+    cap_t caps;
+    cap_value_t cap_list[2];
+
+    caps = cap_get_proc();
+    if (caps == NULL)
+        /* handle error */;
+
+    cap_list[0] = CAP_FOWNER;
+    cap_list[1] = CAP_SETFCAP;
+    if (cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_list, CAP_SET) == -1)
+        /* handle error */;
+
+    if (cap_set_proc(caps) == -1)
+        /* handle error */;
+
+    if (cap_free(caps) == -1)
+        /* handle error */;
+.fi
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_clear (3),
+.BR cap_copy_ext (3),
+.BR cap_from_text (3),
+.BR cap_get_file (3),
+.BR cap_init (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_init.3 b/libcap-2.19/doc/cap_init.3
new file mode 100644
index 0000000..f198f63
--- /dev/null
+++ b/libcap-2.19/doc/cap_init.3
@@ -0,0 +1,86 @@
+.\"
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH CAP_INIT 3 "2008-05-11" "" "Linux Programmer's Manual"
+.SH NAME
+cap_init, cap_free, cap_dup \- capability data object storage management
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.B cap_t cap_init(void);
+.sp
+.BI "int cap_free(void *" obj_d );
+.sp
+.BI "cap_t cap_dup(cap_t " cap_p );
+.sp
+Link with \fI-lcap\fP.
+.SH DESCRIPTION
+The capabilities associated with a file or process are never edited
+directly.  Instead, working storage is allocated to contain a
+representation of the capability state.  Capabilities are edited and
+manipulated only within this working storage area.  Once editing of
+the capability state is complete, the updated capability state is used
+to replace the capability state associated with the file or process.
+.PP
+.BR cap_init ()
+creates a capability state in working storage and returns a pointer to
+the capability state.  The initial value of all flags are cleared.  The
+caller should free any releasable memory, when the capability state in
+working storage is no longer required, by calling
+.BR cap_free ()
+with the 
+.I cap_t
+as an argument.
+.PP
+.BR cap_free ()
+liberates any releasable memory that has been allocated to the
+capability state identified by
+.IR obj_d .
+The
+.I obj_d
+argument may identify either a
+.I cap_t
+entity, or a
+.I char *
+entity allocated by the
+.BR cap_to_text ()
+function.
+.PP
+.BR cap_dup ()
+returns a duplicate capability state in working storage given by the
+source object
+.IR cap_p , 
+allocating any memory necessary, and returning a
+pointer to the newly created capability state.  Once duplicated, no
+operation on either capability state affects the other in any way.
+When the duplicated capability state in working storage is no longer required,
+the caller should free any releasable memory by calling
+.BR cap_free ()
+with the 
+.I cap_t
+as an argument.
+.SH "RETURN VALUE"
+.BR cap_init ()
+and
+.BR cap_dup ()
+return a non-NULL value on success, and NULL on failure.
+.PP
+.BR cap_free ()
+returns zero on success, and \-1 on failure.
+.PP
+On failure,
+.I errno
+is set to
+.BR EINVAL
+or
+.BR ENOMEM .
+.SH "CONFORMING TO"
+These functions are specified in the withdrawn POSIX.1e draft specification.
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR cap_clear (3),
+.BR cap_copy_ext (3),
+.BR cap_from_text (3),
+.BR cap_get_file (3),
+.BR cap_get_proc (3),
+.BR capabilities (7)
diff --git a/libcap-2.19/doc/cap_set_fd.3 b/libcap-2.19/doc/cap_set_fd.3
new file mode 100644
index 0000000..3970c34
--- /dev/null
+++ b/libcap-2.19/doc/cap_set_fd.3
@@ -0,0 +1 @@
+.so man3/cap_get_file.3
diff --git a/libcap-2.19/doc/cap_set_file.3 b/libcap-2.19/doc/cap_set_file.3
new file mode 100644
index 0000000..3970c34
--- /dev/null
+++ b/libcap-2.19/doc/cap_set_file.3
@@ -0,0 +1 @@
+.so man3/cap_get_file.3
diff --git a/libcap-2.19/doc/cap_set_flag.3 b/libcap-2.19/doc/cap_set_flag.3
new file mode 100644
index 0000000..db506c6
--- /dev/null
+++ b/libcap-2.19/doc/cap_set_flag.3
@@ -0,0 +1 @@
+.so man3/cap_clear.3
diff --git a/libcap-2.19/doc/cap_set_proc.3 b/libcap-2.19/doc/cap_set_proc.3
new file mode 100644
index 0000000..65ea3e4
--- /dev/null
+++ b/libcap-2.19/doc/cap_set_proc.3
@@ -0,0 +1 @@
+.so man3/cap_get_proc.3
diff --git a/libcap-2.19/doc/cap_size.3 b/libcap-2.19/doc/cap_size.3
new file mode 100644
index 0000000..2e6e89c
--- /dev/null
+++ b/libcap-2.19/doc/cap_size.3
@@ -0,0 +1 @@
+.so man3/cap_copy_ext.3
diff --git a/libcap-2.19/doc/cap_to_name.3 b/libcap-2.19/doc/cap_to_name.3
new file mode 100644
index 0000000..83ec8b5
--- /dev/null
+++ b/libcap-2.19/doc/cap_to_name.3
@@ -0,0 +1 @@
+.so man3/cap_from_text.3
diff --git a/libcap-2.19/doc/cap_to_text.3 b/libcap-2.19/doc/cap_to_text.3
new file mode 100644
index 0000000..83ec8b5
--- /dev/null
+++ b/libcap-2.19/doc/cap_to_text.3
@@ -0,0 +1 @@
+.so man3/cap_from_text.3
diff --git a/libcap-2.19/doc/capability.notes b/libcap-2.19/doc/capability.notes
new file mode 100644
index 0000000..b1e5245
--- /dev/null
+++ b/libcap-2.19/doc/capability.notes
@@ -0,0 +1,58 @@
+Overview
+--------
+
+As of Linux 2.2.0, the power of the superuser has been partitioned
+into a set of discrete capabilities (in other places, these
+capabilities are know as privileges).
+
+The contents of the libcap package are a library and a number of
+simple programs that are intended to show how an application/daemon
+can be protected (with wrappers) or rewritten to take advantage of
+this fine grained approach to constraining the danger to your system
+from programs running as 'root'.
+
+Notes on securing your system
+-----------------------------
+
+Adopting a role approach to system security:
+
+changing all of the system binaries and directories to be owned by
+some user that cannot log on. You might like to create a user with
+the name 'system' who's account is locked with a '*' password. This
+user can be made the owner of all of the system directories on your
+system and critical system binaries too.
+
+Why is this a good idea? In a simple case, the CAP_FUSER capabilty is
+required for the superuser to delete files owned by a non-root user in
+a 'sticky-bit' protected non-root owned directory. Thus, the sticky
+bit can help you protect the /lib/ directory from an compromized
+daemon where the directory and the files it contains are owned by the
+system user. It can be protected by using a wrapper like execcap to
+ensure that the daemon is not running with the CAP_FUSER capability...
+
+
+Limiting the damage:
+
+If your daemon only needs to be setuid-root in order to bind to a low
+numbered port. You should restrict it to only having access to the
+CAP_NET_BIND_SERVICE capability. Coupled with not having any files on
+the system owned by root, it becomes significantly harder for such a
+daemon to damage your system.
+
+Note, you should think of this kind of trick as making things harder
+for a potential attacker to exploit a hole in a daemon of this
+type. Being able to bind to any privileged port is still a formidable
+privilege and can lead to difficult but 'interesting' man in the
+middle attacks -- hijack the telnet port for example and masquerade as
+the login program... Collecting passwords for another day.
+
+
+The /proc/ filesystem:
+
+This Linux-specific directory tree holds most of the state of the
+system in a form that can sometimes be manipulated by file
+read/writes.  Take care to ensure that the filesystem is not mounted
+with uid=0, since root (with no capabilities) would still be able to
+read sensitive files in the /proc/ tree - kcore for example.
+
+[Patch is available for 2.2.1 - I just wrote it!]
diff --git a/libcap-2.19/doc/capgetp.3 b/libcap-2.19/doc/capgetp.3
new file mode 100644
index 0000000..65ea3e4
--- /dev/null
+++ b/libcap-2.19/doc/capgetp.3
@@ -0,0 +1 @@
+.so man3/cap_get_proc.3
diff --git a/libcap-2.19/doc/capsetp.3 b/libcap-2.19/doc/capsetp.3
new file mode 100644
index 0000000..65ea3e4
--- /dev/null
+++ b/libcap-2.19/doc/capsetp.3
@@ -0,0 +1 @@
+.so man3/cap_get_proc.3
diff --git a/libcap-2.19/doc/capsh.1 b/libcap-2.19/doc/capsh.1
new file mode 100644
index 0000000..4f9273d
--- /dev/null
+++ b/libcap-2.19/doc/capsh.1
@@ -0,0 +1,164 @@
+.\"
+.\" capsh.1 Man page added 2009-12-23 Andrew G. Morgan <morgan@kernel.org>
+.\"
+.TH CAPSH 1 "2009-12-24" "libcap 2" "User Commands"
+.SH NAME
+capsh \- capability shell wrapper
+.SH SYNOPSIS
+.B capsh
+[\fIOPTION\fR]...
+.SH DESCRIPTION
+Linux capability support and use can be explored and constrained with
+this tool. This tool provides a handy wrapper for certain types
+of capability testing and environment creation. It also provides some
+debugging features useful for summarizing capability state.
+.SH OPTIONS
+The tool takes a number of optional arguments, acting on them in the
+order they are provided. They are as follows:
+.TP 22
+.B --print
+Display prevailing capability and related state.
+.TP
+.BI -- " [args]"
+Execute
+.B /bin/bash
+with trailing arguments. Note, you can use
+.B -c 'command to execute'
+for specific commands.
+.TP
+.B ==
+Execute
+.B capsh
+again with remaining arguments. Useful for testing
+.BR exec ()
+behavior.
+.TP
+.BI --caps= cap-set
+Set the prevailing process capabilities to those specified by
+.IR cap-set .
+Where
+.I cap-set
+is a text-representation of capability state as per
+.BR cap_from_text (3).
+.TP
+.BI --drop= cap-list
+Remove the listed capabilities from the prevailing bounding set. The
+capabilites are a comma separated list of capabilities as recognized
+by the
+.BR cap_from_name (3)
+function. Use of this feature requires that the capsh program is
+operating with
+.B CAP_SETPCAP
+in its effective set.
+.TP
+.BI --inh= cap-list
+Set the inheritable set of capabilities for the current process to
+equal those provided in the comma separated list. For this action to
+succeed, the prevailing process should already have each of these
+capabilities in the union of the current inheritable and permitted
+capability sets, or the capsh program is operating with
+.B CAP_SETPCAP
+in its effective set.
+.TP
+.BI --user= username
+Assume the identity of the named user. That is, look up the user's
+.IR uid " and " gid
+with
+.BR getpwuid (3)
+and their group memberships with
+.BR getgrouplist (3)
+and set them all.
+.TP
+.BI --uid= id
+Force all
+.B uid
+values to equal
+.I id
+using the
+.BR setuid (2)
+system call.
+.TP
+.BI --gid= <id>
+Force all
+.B gid
+values to equal
+.I id
+using the
+.BR setgid (2)
+system call.
+.TP
+.BI --groups= <id-list>
+Set the supplementary groups to the numerical list provided. The
+groups are set with the
+.BR setgroups (2)
+system call.
+.TP
+.BI --keep= <0|1>
+In a non-pure capability mode, the kernel provides liberal privilege
+to the super-user. However, it is normally the case that when the
+super-user changes
+.I uid
+to some lesser user, then capabilities are dropped. For these
+situations, the kernel can permit the process to retain its
+capabilities after a
+.BR setuid (2)
+system call. This feature is known as
+.I keep-caps
+support. The way to activate it using this script is with this
+argument. Setting the value to 1 will cause
+.I keep-caps
+to be active. Setting it to 0 will cause keep-caps to deactivate for
+the current process. In all cases,
+.I keep-caps
+is deactivated when an
+.BR exec ()
+is performed. See
+.B --secbits
+for ways to disable this feature.
+.TP
+.BI --secbits= N
+XXX - need to document this feature.
+.TP
+.BI --chroot= path
+Execute the
+.BR chroot (2)
+system call with the new root-directory (/) equal to
+.IR path .
+This operation requires
+.B CAP_SYS_CHROOT
+to be in effect.
+.TP
+.BI --forkfor= sec
+.TP
+.BI --killit= sig
+.TP
+.BI --decode= N
+This is a convenience feature. If you look at
+.B /proc/1/status
+there are some capability related fields of the following form:
+
+ CapInh:	0000000000000000
+ CapPrm:	ffffffffffffffff
+ CapEff:	fffffffffffffeff
+ CapBnd:	ffffffffffffffff
+
+This option provides a quick way to decode a capability vector
+represented in this form. For example, the missing capability from
+this effective set is 0x0100. By running:
+
+ capsh --decode=0x0100
+
+we observe that the missing capability is:
+.BR cap_setpcap .
+.SH "EXIT STATUS"
+Following successful execution the tool exits with status 0. Following
+an error, the tool immediately exits with status 1.
+.SH AUTHOR
+Written by Andrew G. Morgan <morgan@kernel.org>.
+.SH "REPORTING BUGS"
+Please report bugs to the author.
+.SH "SEE ALSO"
+.BR libcap (3),
+.BR getcap (8), setcap (8)
+and
+.BR capabilities (7).
diff --git a/libcap-2.19/doc/getcap.8 b/libcap-2.19/doc/getcap.8
new file mode 100644
index 0000000..1d5ac0f
--- /dev/null
+++ b/libcap-2.19/doc/getcap.8
@@ -0,0 +1,29 @@
+.\"
+.\" $Id: getcap.8,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH GETCAP 8 "12 Nov 2007"
+.SH NAME
+getcap \- examine file capabilities
+.SH SYNOPSIS
+\fBgetcap\fP [-v] [-r] [-h] \fIfilename\fP [ ... ]
+.SH DESCRIPTION
+.B getcap
+displays the name and capabilities of each specified
+.SH OPTIONS
+.TP 4
+.B -r
+enables recursive search.
+.TP 4
+.B -v
+enables to display all searched entries, even if it has no file-capabilities.
+.TP 4
+.B -h
+prints quick usage.
+.TP 4
+.IR filename
+One file per line.
+.SH "SEE ALSO"
+.BR cap_get_file (3),
+.BR cap_to_text (3),
+.BR setcap (8)
diff --git a/libcap-2.19/doc/libcap.3 b/libcap-2.19/doc/libcap.3
new file mode 100644
index 0000000..827ce60
--- /dev/null
+++ b/libcap-2.19/doc/libcap.3
@@ -0,0 +1,113 @@
+.TH LIBCAP 3 "2008-07-29" "" "Linux Programmer's Manual"
+.SH NAME
+cap_clear, cap_clear_flag, cap_compare, cap_copy_ext, cap_copy_int, \
+cap_free, cap_from_name, cap_from_text, cap_get_fd, cap_get_file, \
+cap_get_flag, cap_get_pid, cap_get_proc, cap_set_fd, cap_set_file, \
+cap_set_flag, cap_set_proc, cap_size, cap_to_name, cap_to_text, \
+cap_get_pid, cap_dup \- capability data object manipulation
+.SH SYNOPSIS
+.nf
+.B #include <sys/capability.h>
+.sp
+.BI "int cap_clear(cap_t " cap_p );
+.sp
+.BI "int cap_clear_flag(cap_t " cap_p ", cap_flag_t " flag ");"
+.sp
+.BI "int cap_compare(cap_t " cap_a ", cap_t " cap_b ");"
+.sp
+.BI "ssize_t cap_copy_ext(void *" ext_p ", cap_t " cap_p ", ssize_t " size );
+.sp
+.BI "cap_t cap_copy_int(const void *" ext_p );
+.sp
+.BI "int cap_free(void *" obj_d );
+.sp
+.BI "int cap_from_name(const char *" name ", cap_value_t *" cap_p );
+.sp
+.BI "cap_t cap_from_text(const char *" buf_p );
+.sp
+.BI "cap_t cap_get_fd(int " fd );
+.sp
+.BI "cap_t cap_get_file(const char *" path_p );
+.sp
+.BI "int cap_get_flag(cap_t " cap_p ", cap_value_t " cap ,
+.BI "                 cap_flag_t " flag ", cap_flag_value_t *" value_p ");"
+.sp
+.B #include <sys/types.h>
+.BI "cap_t cap_get_pid(pid_t " pid );
+.sp
+.B "cap_t cap_get_proc(void);"
+.sp
+.BI "int cap_set_fd(int " fd ", cap_t " caps );
+.sp
+.BI "int cap_set_file(const char *" path_p ", cap_t " cap_p );
+.sp
+.sp
+.BI "int cap_set_flag(cap_t " cap_p ", cap_flag_t " flag ", int " ncap ,
+.BI "                 const cap_value_t *" caps ", cap_flag_value_t " value ");"
+.BI "int cap_set_proc(cap_t " cap_p );
+.sp
+.BI "ssize_t cap_size(cap_t " cap_p );
+.sp
+.BI "char *cap_to_name(cap_value_t " cap );
+.sp
+.BI "char *cap_to_text(cap_t " caps ", ssize_t *" length_p );
+.sp
+.BI "cap_t cap_get_pid(pid_t " pid );
+.sp
+.BI "cap_t cap_dup(cap_t " cap_p );
+.sp
+Link with \fI-lcap\fP.
+.fi
+.SH DESCRIPTION
+These functions work on a capability state held in working storage.
+A
+.I cap_t
+holds information about the capabilities in each of the three sets,
+Permitted, Inheritable, and Effective.
+Each capability in a set may be clear (disabled, 0) or set (enabled, 1).
+.PP
+These functions work with the following data types:
+.TP 18
+.I cap_value_t
+identifies a capability, such as
+.BR CAP_CHOWN .
+.TP
+.I cap_flag_t
+identifies one of the three flags associated with a capability
+(i.e., it identifies one of the three capability sets).
+Valid values for this type are
+.BR CAP_EFFECTIVE ,
+.B CAP_INHERITABLE
+or
+.BR CAP_PERMITTED .
+.TP
+.I cap_flag_value_t
+identifies the setting of a particular capability flag
+(i.e, the value of a capability in a set).
+Valid values for this type are
+.BR CAP_CLEAR (0)
+or
+.BR CAP_SET (1).
+.SH "RETURN VALUE"
+The return value is generally specific to the individual function called.
+On failure,
+.I errno
+is set appropriately.
+.SH "CONFORMING TO"
+These functions are as per the withdrawn POSIX.1e draft specification.
+The following functions are Linux extensions:
+.BR cap_clear_flag (),
+.BR cap_compare (),
+.BR cap_from_name (),
+.BR cap_to_name (),
+and
+.BR cap_compare ().
+.SH "SEE ALSO"
+.BR cap_clear (3),
+.BR cap_copy_ext (3),
+.BR cap_from_text (3),
+.BR cap_get_file (3),
+.BR cap_get_proc (3),
+.BR cap_init (3),
+.BR capabilities (7),
+.BR getpid (2)
diff --git a/libcap-2.19/doc/old/README b/libcap-2.19/doc/old/README
new file mode 100644
index 0000000..75741d3
--- /dev/null
+++ b/libcap-2.19/doc/old/README
@@ -0,0 +1 @@
+these files are not relevant to this release
diff --git a/libcap-2.19/doc/old/_fgetfilecap.2 b/libcap-2.19/doc/old/_fgetfilecap.2
new file mode 100644
index 0000000..6ce400b
--- /dev/null
+++ b/libcap-2.19/doc/old/_fgetfilecap.2
@@ -0,0 +1 @@
+.so man2/_setfilecap.2
diff --git a/libcap-2.19/doc/old/_fsetfilecap.2 b/libcap-2.19/doc/old/_fsetfilecap.2
new file mode 100644
index 0000000..6ce400b
--- /dev/null
+++ b/libcap-2.19/doc/old/_fsetfilecap.2
@@ -0,0 +1 @@
+.so man2/_setfilecap.2
diff --git a/libcap-2.19/doc/old/_getfilecap.2 b/libcap-2.19/doc/old/_getfilecap.2
new file mode 100644
index 0000000..6ce400b
--- /dev/null
+++ b/libcap-2.19/doc/old/_getfilecap.2
@@ -0,0 +1 @@
+.so man2/_setfilecap.2
diff --git a/libcap-2.19/doc/old/_getproccap.2 b/libcap-2.19/doc/old/_getproccap.2
new file mode 100644
index 0000000..5090c98
--- /dev/null
+++ b/libcap-2.19/doc/old/_getproccap.2
@@ -0,0 +1 @@
+.so man2/_setproccap.2
diff --git a/libcap-2.19/doc/old/_setfilecap.2 b/libcap-2.19/doc/old/_setfilecap.2
new file mode 100644
index 0000000..6a0538c
--- /dev/null
+++ b/libcap-2.19/doc/old/_setfilecap.2
@@ -0,0 +1,117 @@
+.\"
+.\" $Id: _setfilecap.2,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH _SETFILECAP 2 "26th April 1997" "Linux 2.1" "Linux Programmer's Manual"
+.SH NAME
+_setfilecap, _getfilecap, _fsetfilecap, _fgetfilecap \- set/get file capabilities
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.BI "int _setfilecap(char const *" filename ", size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset );
+.sp
+.BI "int _getproccap(char const *" filename ", size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset );
+.sp
+.BI "int _fsetfilecap(int " fd ", size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset );
+.sp
+.BI "int _fgetproccap(int " fd ", size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset );
+.SH USAGE
+.br
+.B cc ... -lcap
+.SH DESCRIPTION
+.B _setfilecap
+sets the specified
+.IR filename 's
+Inheritable, Permitted and Effective capabilities to the sets specified.
+A NULL pointer specifies that a set should not be changed.
+.PP
+.B _fsetfilecap
+does the same thing to the file referenced by file descriptor
+.IR fd .
+.PP
+.B _getfilecap
+and
+.B _fgetfilecap
+copy the file's capability sets into the sets provided.
+A NULL pointer specifies that a set should not be returned.
+.PP
+The
+.I usize
+argument specifies the size of the user-space capability sets, in bytes.
+If the kernel uses a different size internally, it will truncate or
+zero-fill as required.
+.PP
+Files don't actually have a proper Effective capability set.  Instead they
+have a single-bit flag, that indicates that the set is either full or
+empty.  When setting a file's capabilities, that flag will be set if
+and only if the Effective set specified has at least one bit set.
+.SH "RETURN VALUE"
+On success, zero is returned.  On error, -1 is returned, and
+.I errno
+is set appropriately.
+.SH ERRORS
+.TP
+.SB EFAULT
+One of the capability arguments or the filename was an invalid data pointer.
+.TP
+.SB EPERM
+An attempt was made to set non-empty capabilities on a file,
+and the caller does not have the
+.SB CAP_FSETCAP
+capability raised.
+.TP
+.SB EPERM
+An attempt was made to set capabilities on a file, and
+the effective UID does not match the owner of the file, and the caller
+does not have the
+.SB CAP_FOWNER
+capability raised.
+.TP
+.SB EINVAL
+An attempt was made to set non-empty capabilities on a file
+residing on a file system that does not support them.
+.TP
+.SB EROFS
+An attempt was made to set capabilities on a file residing
+on a read-only file system.
+.TP
+.SB ENAMETOOLONG
+.I filename
+is too long.
+.TP
+.SB ENOENT
+The file specified does not exist.
+.TP
+.SB ENOMEM
+Insufficient kernel memory was available.
+.TP
+.SB ENOTDIR
+A component of the path prefix is not a directory.
+.TP
+.SB EACCES
+Search permission is denied on a component of the path prefix.
+.TP
+.SB ELOOP
+.I filename
+containes a circular reference (via symlinks).
+.TP
+.SB EBADF
+.I fd
+is not a valid file descriptor.
+.TP
+.SB EIO
+A hard error occurred while reading or writing the file system.
+.TP
+.SB ENOSYS
+The POSIX.1e capability system was not configured into the kernel.
+.SH "CONFORMING TO"
+These system calls are specific to Linux.
+The portable interfaces are
+.IR cap_set_file (3),
+.IR cap_get_file (3),
+.IR cap_set_fd (3),
+and
+.IR cap_get_fd (3).
+.SH "SEE ALSO"
+.IR _setproccap (2).
+
diff --git a/libcap-2.19/doc/old/_setproccap.2 b/libcap-2.19/doc/old/_setproccap.2
new file mode 100644
index 0000000..d4579c8
--- /dev/null
+++ b/libcap-2.19/doc/old/_setproccap.2
@@ -0,0 +1,52 @@
+.\"
+.\" $Id: _setproccap.2,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+.\" written by Andrew Main <zefram@dcs.warwick.ac.uk>
+.\"
+.TH _SETPROCCAP 2 "26th April 1997" "Linux 2.1" "Linux Programmer's Manual"
+.SH NAME
+_setproccap, _getproccap \- set/get process capabilities
+.SH SYNOPSIS
+.B #include <sys/capability.h>
+.sp
+.BI "int _setproccap(size_t " usize ", __cap_s const *" iset ", __cap_s const *" pset ", __cap_s const *" eset );
+.sp
+.BI "int _getproccap(size_t " usize ", __cap_s *" iset ", __cap_s *" pset ", __cap_s *" eset );
+.SH DESCRIPTION
+.B _setproccap
+sets the calling process'
+Inheritable, Permitted and Effective capabilities to the sets specified.
+A NULL pointer specifies that a set should not be changed.
+.PP
+.B _getproccap
+copies the process' capability sets into the sets provided.
+A NULL pointer specifies that a set should not be returned.
+.PP
+The
+.I usize
+argument specifies the size of the user-space capability sets, in bytes.
+If the kernel uses a different size internally, it will truncate or
+zero-fill as required.
+.SH "RETURN VALUE"
+On success, zero is returned.  On error, -1 is returned, and
+.I errno
+is set appropriately.
+.SH ERRORS
+.TP
+.SB EFAULT
+One of the capability arguments was an invalid data pointer.
+.TP
+.SB EPERM
+An attempt was made to add a capability to the Permitted set, or to set
+a capability in the Effective or Inheritable sets that is not in the
+Permitted set.
+.TP
+.SB ENOSYS
+The POSIX.1e capability system was not configured into the kernel.
+.SH "CONFORMING TO"
+These system calls are specific to Linux.
+The portable interfaces are
+.IR cap_set_proc (3)
+and
+.IR cap_get_proc (3).
+.SH "SEE ALSO"
+.IR _setfilecap (2).
diff --git a/libcap-2.19/doc/setcap.8 b/libcap-2.19/doc/setcap.8
new file mode 100644
index 0000000..9344ba5
--- /dev/null
+++ b/libcap-2.19/doc/setcap.8
@@ -0,0 +1,49 @@
+.\"
+.\" $Id: setcap.8,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+.\"
+.TH SETCAP 8 "24th October 2008"
+.SH NAME
+setcap \- set file capabilities
+.SH SYNOPSIS
+\fBsetcap\fP [-q] [-v] (\fIcapabilities|-|-r) filename\fP [ ... \fIcapabilitiesN\fP \fIfileN\fP ]
+.SH DESCRIPTION
+In the absence of the
+.B -v
+(verify) option
+.B setcap
+sets the capabilities of each specified
+.I filename
+to the
+.I capabilities
+specified.  The
+.B -v
+option is used to verify that the specified capabilities are currently
+associated with the file.
+.PP
+The
+.I capabilities
+are specified in the form described in
+.IR cap_from_text (3).
+.PP
+The special capability string,
+.BR '-' ,
+can be used to indicate that capabilities are read from the standard
+input. In such cases, the capability set is terminated with a blank
+line.
+.PP
+The special capability string,
+.BR '-r' ,
+is used to remove a capability set from a file.
+.PP
+The
+.B -q
+flag is used to make the program less verbose in its output.
+.SH "EXIT CODE"
+The
+.B setcap
+program will exit with a 0 exit code if successful. On failure, the
+exit code is 1.
+.SH "SEE ALSO"
+.BR cap_from_text (3),
+.BR cap_set_file (3),
+.BR getcap (8)
diff --git a/libcap-2.19/libcap/Makefile b/libcap-2.19/libcap/Makefile
new file mode 100644
index 0000000..8a61752
--- /dev/null
+++ b/libcap-2.19/libcap/Makefile
@@ -0,0 +1,79 @@
+#
+# defines
+#
+topdir=$(shell pwd)/..
+include ../Make.Rules
+#
+# Library version
+#
+LIBNAME=$(LIBTITLE).so
+STALIBNAME=$(LIBTITLE).a
+#
+
+FILES=cap_alloc cap_proc cap_extint cap_flag cap_text
+
+# make including file support something you can override (no libattr
+# no support).
+ifeq ($(LIBATTR),yes)
+FILES += cap_file
+LDFLAGS += -lattr
+endif
+
+INCLS=libcap.h cap_names.h $(INCS)
+OBJS=$(addsuffix .o, $(FILES))
+MAJLIBNAME=$(LIBNAME).$(VERSION)
+MINLIBNAME=$(MAJLIBNAME).$(MINOR)
+GPERF_OUTPUT = _caps_output.gperf
+
+all: $(MINLIBNAME) $(STALIBNAME)
+
+ifeq ($(shell gperf --version > /dev/null 2>&1 && echo yes),yes)
+USE_GPERF_OUTPUT = $(GPERF_OUTPUT)
+INCLUDE_GPERF_OUTPUT = -include $(GPERF_OUTPUT)
+endif
+
+_makenames: _makenames.c cap_names.list.h
+	$(BUILD_CC) $(BUILD_CFLAGS) $< -o $@
+
+cap_names.h: _makenames
+	./_makenames > cap_names.h
+
+$(GPERF_OUTPUT): cap_names.list.h
+	perl -e 'print "struct __cap_token_s { const char *name; int index; };\n%{\nconst struct __cap_token_s *__cap_lookup_name(const char *, unsigned int);\n%}\n%%\n"; while ($$l = <>) { $$l =~ s/[\{\"]//g; $$l =~ s/\}.*// ; print $$l; }' < $< | gperf --ignore-case --language=ANSI-C --readonly --null-strings --global-table --hash-function-name=__cap_hash_name --lookup-function-name="__cap_lookup_name" -c -t -m20 $(INDENT) > $@
+
+cap_names.list.h: Makefile $(KERNEL_HEADERS)/linux/capability.h
+	@echo "=> making $@ from $(KERNEL_HEADERS)/linux/capability.h"
+	perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/linux/capability.h | fgrep -v 0x > $@
+
+$(STALIBNAME): $(OBJS)
+	$(AR) rcs $@ $^
+	$(RANLIB) $@
+
+$(MINLIBNAME): $(OBJS)
+	$(LD) $(CFLAGS) $(LDFLAGS) -Wl,-soname,$(MAJLIBNAME) -o $@ $^
+	ln -sf $(MINLIBNAME) $(MAJLIBNAME)
+	ln -sf $(MAJLIBNAME) $(LIBNAME)
+
+%.o: %.c $(INCLS)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+cap_text.o: cap_text.c $(USE_GPERF_OUTPUT) $(INCLS)
+	$(CC) $(CFLAGS) $(INCLUDE_GPERF_OUTPUT) -c $< -o $@
+
+install: all
+	mkdir -p -m 0755 $(INCDIR)/sys
+	install -m 0644 include/sys/capability.h $(INCDIR)/sys
+	mkdir -p -m 0755 $(LIBDIR)
+	install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME)
+	install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME)
+	ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME)
+	ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME)
+ifeq ($(FAKEROOT),)
+	-/sbin/ldconfig
+endif
+
+clean:
+	$(LOCALCLEAN)
+	rm -f $(OBJS) $(LIBNAME)* $(STALIBNAME)
+	rm -f cap_names.h cap_names.list.h _makenames $(GPERF_OUTPUT)
+	cd include/sys && $(LOCALCLEAN)
diff --git a/libcap-2.19/libcap/_makenames.c b/libcap-2.19/libcap/_makenames.c
new file mode 100644
index 0000000..8cc819b
--- /dev/null
+++ b/libcap-2.19/libcap/_makenames.c
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 1997-8 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * This is a file to make the capability <-> string mappings for
+ * libcap.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/capability.h>
+
+/*
+ * #include 'sed' generated array
+ */
+
+struct {
+    const char *name;
+    int index;
+} const list[] = {
+#include "cap_names.list.h"
+    {NULL, -1}
+};
+
+/* this should be more than big enough (factor of three at least) */
+const char *pointers[8*sizeof(struct __user_cap_data_struct)];
+
+int main(void)
+{
+    int i, maxcaps=0;
+
+    for ( i=0; list[i].index >= 0 && list[i].name; ++i ) {
+	if (maxcaps <= list[i].index) {
+	    maxcaps = list[i].index + 1;
+	}
+	pointers[list[i].index] = list[i].name;
+    }
+
+    printf("/*\n"
+	   " * DO NOT EDIT: this file is generated automatically from\n"
+	   " *\n"
+	   " *     <linux/capability.h>\n"
+	   " */\n"
+	   "#define __CAP_BITS   %d\n"
+	   "\n"
+	   "#ifdef LIBCAP_PLEASE_INCLUDE_ARRAY\n"
+	   "  char const *_cap_names[__CAP_BITS] = {\n", maxcaps);
+
+    for (i=0; i<maxcaps; ++i) {
+	if (pointers[i])
+	    printf("      /* %d */\t\"%s\",\n", i, pointers[i]);
+	else
+	    printf("      /* %d */\tNULL,\t\t/* - presently unused */\n", i);
+    }
+
+    printf("  };\n"
+	   "#endif /* LIBCAP_PLEASE_INCLUDE_ARRAY */\n"
+	   "\n"
+	   "/* END OF FILE */\n");
+
+    exit(0);
+}
diff --git a/libcap-2.19/libcap/cap_alloc.c b/libcap-2.19/libcap/cap_alloc.c
new file mode 100644
index 0000000..5fa5e93
--- /dev/null
+++ b/libcap-2.19/libcap/cap_alloc.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with allocation and deallocation of internal
+ * capability sets as specified by POSIX.1e (formerlly, POSIX 6).
+ */
+
+#include "libcap.h"
+
+/*
+ * Obtain a blank set of capabilities
+ */
+
+cap_t cap_init(void)
+{
+    __u32 *raw_data;
+    cap_t result;
+
+    raw_data = malloc( sizeof(__u32) + sizeof(*result) );
+
+    if (raw_data == NULL) {
+	_cap_debug("out of memory");
+	errno = ENOMEM;
+	return NULL;
+    }
+
+    *raw_data = CAP_T_MAGIC;
+    result = (cap_t) (raw_data + 1);
+    memset(result, 0, sizeof(*result));
+
+    result->head.version = _LIBCAP_CAPABILITY_VERSION;
+    capget(&result->head, NULL);      /* load the kernel-capability version */
+
+    switch (result->head.version) {
+#ifdef _LINUX_CAPABILITY_VERSION_1
+    case _LINUX_CAPABILITY_VERSION_1:
+	break;
+#endif
+#ifdef _LINUX_CAPABILITY_VERSION_2
+    case _LINUX_CAPABILITY_VERSION_2:
+	break;
+#endif
+#ifdef _LINUX_CAPABILITY_VERSION_3
+    case _LINUX_CAPABILITY_VERSION_3:
+	break;
+#endif
+    default:                          /* No idea what to do */
+	cap_free(result);
+	result = NULL;
+	break;
+    }
+
+    return result;
+}
+
+/*
+ * This is an internal library function to duplicate a string and
+ * tag the result as something cap_free can handle.
+ */
+
+char *_libcap_strdup(const char *old)
+{
+    __u32 *raw_data;
+
+    if (old == NULL) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+    if (raw_data == NULL) {
+	errno = ENOMEM;
+	return NULL;
+    }
+
+    *(raw_data++) = CAP_S_MAGIC;
+    strcpy((char *) raw_data, old);
+
+    return ((char *) raw_data);
+}
+
+/*
+ * This function duplicates an internal capability set with
+ * malloc()'d memory. It is the responsibility of the user to call
+ * cap_free() to liberate it.
+ */
+
+cap_t cap_dup(cap_t cap_d)
+{
+    cap_t result;
+
+    if (!good_cap_t(cap_d)) {
+	_cap_debug("bad argument");
+	errno = EINVAL;
+	return NULL;
+    }
+
+    result = cap_init();
+    if (result == NULL) {
+	_cap_debug("out of memory");
+	return NULL;
+    }
+
+    memcpy(result, cap_d, sizeof(*cap_d));
+
+    return result;
+}
+
+
+/*
+ * Scrub and then liberate an internal capability set.
+ */
+
+int cap_free(void *data_p)
+{
+    if ( !data_p )
+	return 0;
+
+    if ( good_cap_t(data_p) ) {
+	data_p = -1 + (__u32 *) data_p;
+	memset(data_p, 0, sizeof(__u32) + sizeof(struct _cap_struct));
+	free(data_p);
+	data_p = NULL;
+	return 0;
+    }
+
+    if ( good_cap_string(data_p) ) {
+	int length = strlen(data_p) + sizeof(__u32);
+     	data_p = -1 + (__u32 *) data_p;
+     	memset(data_p, 0, length);
+     	free(data_p);
+     	data_p = NULL;
+     	return 0;
+    }
+
+    _cap_debug("don't recognize what we're supposed to liberate");
+    errno = EINVAL;
+    return -1;
+}
diff --git a/libcap-2.19/libcap/cap_extint.c b/libcap-2.19/libcap/cap_extint.c
new file mode 100644
index 0000000..5a0cc8e
--- /dev/null
+++ b/libcap-2.19/libcap/cap_extint.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with exchanging internal and external
+ * representations of capability sets.
+ */
+
+#include "libcap.h"
+
+/*
+ * External representation for capabilities. (exported as a fixed
+ * length)
+ */
+#define CAP_EXT_MAGIC "\220\302\001\121"
+#define CAP_EXT_MAGIC_SIZE 4
+const static __u8 external_magic[CAP_EXT_MAGIC_SIZE+1] = CAP_EXT_MAGIC;
+
+struct cap_ext_struct {
+    __u8 magic[CAP_EXT_MAGIC_SIZE];
+    __u8 length_of_capset;
+    /*
+     * note, we arrange these so the caps are stacked with byte-size
+     * resolution
+     */
+    __u8 bytes[CAP_SET_SIZE][NUMBER_OF_CAP_SETS];
+};
+
+/*
+ * return size of external capability set
+ */
+
+ssize_t cap_size(cap_t caps)
+{
+    return sizeof(struct cap_ext_struct);
+}
+
+/*
+ * Copy the internal (cap_d) capability set into an external
+ * representation.  The external representation is portable to other
+ * Linux architectures.
+ */
+
+ssize_t cap_copy_ext(void *cap_ext, cap_t cap_d, ssize_t length)
+{
+    struct cap_ext_struct *result = (struct cap_ext_struct *) cap_ext;
+    int i;
+
+    /* valid arguments? */
+    if (!good_cap_t(cap_d) || length < sizeof(struct cap_ext_struct)
+	|| cap_ext == NULL) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    /* fill external capability set */
+    memcpy(&result->magic, external_magic, CAP_EXT_MAGIC_SIZE);
+    result->length_of_capset = CAP_SET_SIZE;
+
+    for (i=0; i<NUMBER_OF_CAP_SETS; ++i) {
+	int j;
+	for (j=0; j<CAP_SET_SIZE; ) {
+	    __u32 val;
+
+	    val = cap_d->u[j/sizeof(__u32)].flat[i];
+
+	    result->bytes[j++][i] =  val        & 0xFF;
+	    result->bytes[j++][i] = (val >>= 8) & 0xFF;
+	    result->bytes[j++][i] = (val >>= 8) & 0xFF;
+	    result->bytes[j++][i] = (val >> 8)  & 0xFF;
+	}
+    }
+
+    /* All done: return length of external representation */
+    return (sizeof(struct cap_ext_struct));
+}
+
+/*
+ * Import an external representation to produce an internal rep.
+ * the internal rep should be liberated with cap_free().
+ */
+
+cap_t cap_copy_int(const void *cap_ext)
+{
+    const struct cap_ext_struct *export =
+	(const struct cap_ext_struct *) cap_ext;
+    cap_t cap_d;
+    int set, blen;
+
+    /* Does the external representation make sense? */
+    if ((export == NULL)
+	|| memcmp(export->magic, external_magic, CAP_EXT_MAGIC_SIZE)) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    /* Obtain a new internal capability set */
+    if (!(cap_d = cap_init()))
+       return NULL;
+
+    blen = export->length_of_capset;
+    for (set=0; set<NUMBER_OF_CAP_SETS; ++set) {
+	int blk;
+	int bno = 0;
+	for (blk=0; blk<(CAP_SET_SIZE/sizeof(__u32)); ++blk) {
+	    __u32 val = 0;
+
+	    if (bno != blen)
+		val  = export->bytes[bno++][set];
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 8;
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 16;
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 24;
+
+	    cap_d->u[blk].flat[set] = val;
+	}
+    }
+
+    /* all done */
+    return cap_d;
+}
+
diff --git a/libcap-2.19/libcap/cap_file.c b/libcap-2.19/libcap/cap_file.c
new file mode 100644
index 0000000..634e601
--- /dev/null
+++ b/libcap-2.19/libcap/cap_file.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (c) 1997,2007 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with setting capabilities on files.
+ */
+
+#include <sys/types.h>
+#include <sys/xattr.h>
+#include <byteswap.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#define XATTR_SECURITY_PREFIX "security."
+
+#include "libcap.h"
+
+#ifdef VFS_CAP_U32
+
+#if VFS_CAP_U32 != __CAP_BLKS
+# error VFS representation of capabilities is not the same size as kernel
+#endif
+
+#if __BYTE_ORDER == __BIG_ENDIAN
+#define FIXUP_32BITS(x) bswap_32(x)
+#else
+#define FIXUP_32BITS(x) (x)
+#endif
+
+static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result,
+			 int bytes)
+{
+    __u32 magic_etc;
+    unsigned tocopy, i;
+
+    magic_etc = FIXUP_32BITS(rawvfscap->magic_etc);
+    switch (magic_etc & VFS_CAP_REVISION_MASK) {
+#ifdef VFS_CAP_REVISION_1
+    case VFS_CAP_REVISION_1:
+	tocopy = VFS_CAP_U32_1;
+	bytes -= XATTR_CAPS_SZ_1;
+	break;
+#endif
+
+#ifdef VFS_CAP_REVISION_2
+    case VFS_CAP_REVISION_2:
+	tocopy = VFS_CAP_U32_2;
+	bytes -= XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+    default:
+	cap_free(result);
+	result = NULL;
+	return result;
+    }
+
+    /*
+     * Verify that we loaded exactly the right number of bytes
+     */
+    if (bytes != 0) {
+	cap_free(result);
+	result = NULL;
+	return result;
+    }
+
+    for (i=0; i < tocopy; i++) {
+	result->u[i].flat[CAP_INHERITABLE]
+	    = FIXUP_32BITS(rawvfscap->data[i].inheritable);
+	result->u[i].flat[CAP_PERMITTED]
+	    = FIXUP_32BITS(rawvfscap->data[i].permitted);
+	if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
+	    result->u[i].flat[CAP_EFFECTIVE]
+		= result->u[i].flat[CAP_INHERITABLE]
+		| result->u[i].flat[CAP_PERMITTED];
+	}
+    }
+    while (i < __CAP_BLKS) {
+	result->u[i].flat[CAP_INHERITABLE]
+	    = result->u[i].flat[CAP_PERMITTED]
+	    = result->u[i].flat[CAP_EFFECTIVE] = 0;
+	i++;
+    }
+
+    return result;
+}
+
+static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d,
+		       int *bytes_p)
+{
+    __u32 eff_not_zero, magic;
+    unsigned tocopy, i;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    switch (cap_d->head.version) {
+#ifdef _LINUX_CAPABILITY_VERSION_1
+    case _LINUX_CAPABILITY_VERSION_1:
+	magic = VFS_CAP_REVISION_1;
+	tocopy = VFS_CAP_U32_1;
+	*bytes_p = XATTR_CAPS_SZ_1;
+	break;
+#endif
+
+#ifdef _LINUX_CAPABILITY_VERSION_2
+    case _LINUX_CAPABILITY_VERSION_2:
+	magic = VFS_CAP_REVISION_2;
+	tocopy = VFS_CAP_U32_2;
+	*bytes_p = XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+#ifdef _LINUX_CAPABILITY_VERSION_3
+    case _LINUX_CAPABILITY_VERSION_3:
+	magic = VFS_CAP_REVISION_2;
+	tocopy = VFS_CAP_U32_2;
+	*bytes_p = XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting named file capabilities");
+
+    for (eff_not_zero = 0, i = 0; i < tocopy; i++) {
+	eff_not_zero |= cap_d->u[i].flat[CAP_EFFECTIVE];
+    }
+    while (i < __CAP_BLKS) {
+	if ((cap_d->u[i].flat[CAP_EFFECTIVE]
+	     || cap_d->u[i].flat[CAP_INHERITABLE]
+	     || cap_d->u[i].flat[CAP_PERMITTED])) {
+	    /*
+	     * System does not support these capabilities
+	     */
+	    errno = EINVAL;
+	    return -1;
+	}
+	i++;
+    }
+
+    for (i=0; i < tocopy; i++) {
+	rawvfscap->data[i].permitted
+	    = FIXUP_32BITS(cap_d->u[i].flat[CAP_PERMITTED]);
+	rawvfscap->data[i].inheritable
+	    = FIXUP_32BITS(cap_d->u[i].flat[CAP_INHERITABLE]);
+
+	if (eff_not_zero
+	    && ((~(cap_d->u[i].flat[CAP_EFFECTIVE]))
+		& (cap_d->u[i].flat[CAP_PERMITTED]
+		   | cap_d->u[i].flat[CAP_INHERITABLE]))) {
+	    errno = EINVAL;
+	    return -1;
+	}
+    }
+
+    if (eff_not_zero == 0) {
+	rawvfscap->magic_etc = FIXUP_32BITS(magic);
+    } else {
+	rawvfscap->magic_etc = FIXUP_32BITS(magic|VFS_CAP_FLAGS_EFFECTIVE);
+    }
+
+    return 0;      /* success */
+}
+
+/*
+ * Get the capabilities of an open file, as specified by its file
+ * descriptor.
+ */
+
+cap_t cap_get_fd(int fildes)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	struct vfs_cap_data rawvfscap;
+	int sizeofcaps;
+
+	_cap_debug("getting fildes capabilities");
+
+	/* fill the capability sets via a system call */
+	sizeofcaps = fgetxattr(fildes, XATTR_NAME_CAPS,
+			       &rawvfscap, sizeof(rawvfscap));
+	if (sizeofcaps < sizeof(rawvfscap.magic_etc)) {
+	    cap_free(result);
+	    result = NULL;
+	} else {
+	    result = _fcaps_load(&rawvfscap, result, sizeofcaps);
+	}
+    }
+
+    return result;
+}
+
+/*
+ * Get the capabilities from a named file.
+ */
+
+cap_t cap_get_file(const char *filename)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	struct vfs_cap_data rawvfscap;
+	int sizeofcaps;
+
+	_cap_debug("getting filename capabilities");
+
+	/* fill the capability sets via a system call */
+	sizeofcaps = getxattr(filename, XATTR_NAME_CAPS,
+			      &rawvfscap, sizeof(rawvfscap));
+	if (sizeofcaps < sizeof(rawvfscap.magic_etc)) {
+	    cap_free(result);
+	    result = NULL;
+	} else {
+	    result = _fcaps_load(&rawvfscap, result, sizeofcaps);
+	}
+    }
+
+    return result;
+}
+
+/*
+ * Set the capabilities of an open file, as specified by its file
+ * descriptor.
+ */
+
+int cap_set_fd(int fildes, cap_t cap_d)
+{
+    struct vfs_cap_data rawvfscap;
+    int sizeofcaps;
+    struct stat buf;
+
+    if (fstat(fildes, &buf) != 0) {
+	_cap_debug("unable to stat file descriptor %d", fildes);
+	return -1;
+    }
+    if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+	_cap_debug("file descriptor %d for non-regular file", fildes);
+	errno = EINVAL;
+	return -1;
+    }
+
+    if (cap_d == NULL) {
+	_cap_debug("deleting fildes capabilities");
+	return fremovexattr(fildes, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+	return -1;
+    }
+
+    _cap_debug("setting fildes capabilities");
+
+    return fsetxattr(fildes, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
+}
+
+/*
+ * Set the capabilities of a named file.
+ */
+
+int cap_set_file(const char *filename, cap_t cap_d)
+{
+    struct vfs_cap_data rawvfscap;
+    int sizeofcaps;
+    struct stat buf;
+
+    if (lstat(filename, &buf) != 0) {
+	_cap_debug("unable to stat file [%s]", filename);
+	return -1;
+    }
+    if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+	_cap_debug("file [%s] is not a regular file", filename);
+	errno = EINVAL;
+	return -1;
+    }
+
+    if (cap_d == NULL) {
+	_cap_debug("removing filename capabilities");
+	return removexattr(filename, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+	return -1;
+    }
+
+    _cap_debug("setting filename capabilities");
+    return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
+}
+
+#else /* ie. ndef VFS_CAP_U32 */
+
+cap_t cap_get_fd(int fildes)
+{
+    errno = EINVAL;
+    return NULL;
+}
+
+cap_t cap_get_file(const char *filename)
+{
+    errno = EINVAL;
+    return NULL;
+}
+
+int cap_set_fd(int fildes, cap_t cap_d)
+{
+    errno = EINVAL;
+    return -1;
+}
+
+int cap_set_file(const char *filename, cap_t cap_d)
+{
+    errno = EINVAL;
+    return -1;
+}
+
+#endif /* def VFS_CAP_U32 */
diff --git a/libcap-2.19/libcap/cap_flag.c b/libcap-2.19/libcap/cap_flag.c
new file mode 100644
index 0000000..52ec3b3
--- /dev/null
+++ b/libcap-2.19/libcap/cap_flag.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * This file deals with flipping of capabilities on internal
+ * capability sets as specified by POSIX.1e (formerlly, POSIX 6).
+ */
+
+#include "libcap.h"
+
+/*
+ * Return the state of a specified capability flag.  The state is
+ * returned as the contents of *raised.  The capability is from one of
+ * the sets stored in cap_d as specified by set and value
+ */
+
+int cap_get_flag(cap_t cap_d, cap_value_t value, cap_flag_t set,
+		 cap_flag_value_t *raised)
+{
+    /*
+     * Do we have a set and a place to store its value?
+     * Is it a known capability?
+     */
+
+    if (raised && good_cap_t(cap_d) && value >= 0 && value < __CAP_BITS
+	&& set >= 0 && set < NUMBER_OF_CAP_SETS) {
+	*raised = isset_cap(cap_d,value,set) ? CAP_SET:CAP_CLEAR;
+	return 0;
+    } else {
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+    }
+}
+
+/*
+ * raise/lower a selection of capabilities
+ */
+
+int cap_set_flag(cap_t cap_d, cap_flag_t set,
+		 int no_values, const cap_value_t *array_values,
+		 cap_flag_value_t raise)
+{
+    /*
+     * Do we have a set and a place to store its value?
+     * Is it a known capability?
+     */
+
+    if (good_cap_t(cap_d) && no_values > 0 && no_values <= __CAP_BITS
+	&& (set >= 0) && (set < NUMBER_OF_CAP_SETS)
+	&& (raise == CAP_SET || raise == CAP_CLEAR) ) {
+	int i;
+	for (i=0; i<no_values; ++i) {
+	    if (array_values[i] < 0 || array_values[i] >= __CAP_BITS) {
+		_cap_debug("weird capability (%d) - skipped", array_values[i]);
+	    } else {
+		int value = array_values[i];
+
+		if (raise == CAP_SET) {
+		    cap_d->raise_cap(value,set);
+		} else {
+		    cap_d->lower_cap(value,set);
+		}
+	    }
+	}
+	return 0;
+
+    } else {
+
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+
+    }
+}
+
+/*
+ *  Reset the capability to be empty (nothing raised)
+ */
+
+int cap_clear(cap_t cap_d)
+{
+    if (good_cap_t(cap_d)) {
+
+	memset(&(cap_d->u), 0, sizeof(cap_d->u));
+	return 0;
+
+    } else {
+
+	_cap_debug("invalid pointer");
+	errno = EINVAL;
+	return -1;
+
+    }
+}
+
+/*
+ *  Reset the all of the capability bits for one of the flag sets
+ */
+
+int cap_clear_flag(cap_t cap_d, cap_flag_t flag)
+{
+    switch (flag) {
+    case CAP_EFFECTIVE:
+    case CAP_PERMITTED:
+    case CAP_INHERITABLE:
+	if (good_cap_t(cap_d)) {
+	    unsigned i;
+
+	    for (i=0; i<_LIBCAP_CAPABILITY_U32S; i++) {
+		cap_d->u[i].flat[flag] = 0;
+	    }
+	    return 0;
+	}
+	/*
+	 * fall through
+	 */
+
+    default:
+	_cap_debug("invalid pointer");
+	errno = EINVAL;
+	return -1;
+    }
+}
+
+/*
+ * Compare two capability sets
+ */
+
+int cap_compare(cap_t a, cap_t b)
+{
+    unsigned i;
+    int result;
+
+    if (!(good_cap_t(a) && good_cap_t(b))) {
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+    }
+
+    for (i=0, result=0; i<_LIBCAP_CAPABILITY_U32S; i++) {
+	result |=
+	    ((a->u[i].flat[CAP_EFFECTIVE] != b->u[i].flat[CAP_EFFECTIVE])
+	     ? LIBCAP_EFF : 0)
+	    | ((a->u[i].flat[CAP_INHERITABLE] != b->u[i].flat[CAP_INHERITABLE])
+	       ? LIBCAP_INH : 0)
+	    | ((a->u[i].flat[CAP_PERMITTED] != b->u[i].flat[CAP_PERMITTED])
+	       ? LIBCAP_PER : 0);
+    }
+    return result;
+}
diff --git a/libcap-2.19/libcap/cap_proc.c b/libcap-2.19/libcap/cap_proc.c
new file mode 100644
index 0000000..7a6af39
--- /dev/null
+++ b/libcap-2.19/libcap/cap_proc.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1997-8,2007 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with setting capabilities on processes.
+ */
+
+#include "libcap.h"
+
+cap_t cap_get_proc(void)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	_cap_debug("getting current process' capabilities");
+
+	/* fill the capability sets via a system call */
+	if (capget(&result->head, &result->u[0].set)) {
+	    cap_free(result);
+	    result = NULL;
+	}
+    }
+
+    return result;
+}
+
+int cap_set_proc(cap_t cap_d)
+{
+    int retval;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting process capabilities");
+    retval = capset(&cap_d->head, &cap_d->u[0].set);
+
+    return retval;
+}
+
+/* the following two functions are not required by POSIX */
+
+/* read the caps on a specific process */
+
+int capgetp(pid_t pid, cap_t cap_d)
+{
+    int error;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("getting process capabilities for proc %d", pid);
+
+    cap_d->head.pid = pid;
+    error = capget(&cap_d->head, &cap_d->u[0].set);
+    cap_d->head.pid = 0;
+
+    return error;
+}
+
+/* allocate space for and return capabilities of target process */
+
+cap_t cap_get_pid(pid_t pid)
+{
+    cap_t result;
+
+    result = cap_init();
+    if (result) {
+	if (capgetp(pid, result) != 0) {
+	    int my_errno;
+
+	    my_errno = errno;
+	    cap_free(result);
+	    errno = my_errno;
+	    result = NULL;
+	}
+    }
+
+    return result;
+}
+
+/* set the caps on a specific process/pg etc.. */
+
+int capsetp(pid_t pid, cap_t cap_d)
+{
+    int error;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting process capabilities for proc %d", pid);
+    cap_d->head.pid = pid;
+    error = capset(&cap_d->head, &cap_d->u[0].set);
+    cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
+    cap_d->head.pid = 0;
+
+    return error;
+}
+
diff --git a/libcap-2.19/libcap/cap_text.c b/libcap-2.19/libcap/cap_text.c
new file mode 100644
index 0000000..42fb685
--- /dev/null
+++ b/libcap-2.19/libcap/cap_text.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1997-8,2007-8 Andrew G Morgan <morgan@kernel.org>
+ * Copyright (c) 1997 Andrew Main <zefram@dcs.warwick.ac.uk>
+ *
+ * This file deals with exchanging internal and textual
+ * representations of capability sets.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#define LIBCAP_PLEASE_INCLUDE_ARRAY
+#include "libcap.h"
+
+#include <ctype.h>
+#include <limits.h>
+
+/* Maximum output text length (16 per cap) */
+#define CAP_TEXT_SIZE    (16*__CAP_MAXBITS)
+
+/*
+ * Parse a textual representation of capabilities, returning an internal
+ * representation.
+ */
+
+#define raise_cap_mask(flat, c)  (flat)[CAP_TO_INDEX(c)] |= CAP_TO_MASK(c)
+
+static void setbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks)
+{
+    int n;
+    for (n = blks; n--; ) {
+	a->u[n].flat[set] |= b[n];
+    }
+}
+
+static void clrbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks)
+{
+    int n;
+    for (n = blks; n--; )
+	a->u[n].flat[set] &= ~b[n];
+}
+
+static char const *namcmp(char const *str, char const *nam)
+{
+    while (*nam && tolower((unsigned char)*str) == *nam) {
+	str++;
+	nam++;
+    }
+    if (*nam || isalnum((unsigned char)*str) || *str == '_')
+	return NULL;
+    return str;
+}
+
+static void forceall(__u32 *flat, __u32 value, unsigned blks)
+{
+    unsigned n;
+
+    for (n = blks; n--; flat[n] = value);
+
+    return;
+}
+
+static int lookupname(char const **strp)
+{
+    union {
+	char const *constp;
+	char *p;
+    } str;
+
+    str.constp = *strp;
+    if (isdigit(*str.constp)) {
+	unsigned long n = strtoul(str.constp, &str.p, 0);
+	if (n >= __CAP_MAXBITS)
+	    return -1;
+	*strp = str.constp;
+	return n;
+    } else {
+	int c;
+	unsigned len;
+
+	for (len=0; (c = str.constp[len]); ++len) {
+	    if (!(isalpha(c) || (c == '_'))) {
+		break;
+	    }
+	}
+
+#ifdef GPERF_DOWNCASE
+	const struct __cap_token_s *token_info;
+
+	token_info = __cap_lookup_name(str.constp, len);
+	if (token_info != NULL) {
+	    *strp = str.constp + len;
+	    return token_info->index;
+	}
+#else /* ie., ndef GPERF_DOWNCASE */
+	char const *s;
+	unsigned n;
+
+	for (n = __CAP_BITS; n--; )
+	    if (_cap_names[n] && (s = namcmp(str.constp, _cap_names[n]))) {
+		*strp = s;
+		return n;
+	    }
+#endif /* def GPERF_DOWNCASE */
+
+	return -1;   	/* No definition available */
+    }
+}
+
+cap_t cap_from_text(const char *str)
+{
+    cap_t res;
+    int n;
+    unsigned cap_blks;
+
+    if (str == NULL) {
+	_cap_debug("bad argument");
+	errno = EINVAL;
+	return NULL;
+    }
+
+    if (!(res = cap_init()))
+	return NULL;
+
+    switch (res->head.version) {
+    case _LINUX_CAPABILITY_VERSION_1:
+	cap_blks = _LINUX_CAPABILITY_U32S_1;
+	break;
+    case _LINUX_CAPABILITY_VERSION_2:
+	cap_blks = _LINUX_CAPABILITY_U32S_2;
+	break;
+    case _LINUX_CAPABILITY_VERSION_3:
+	cap_blks = _LINUX_CAPABILITY_U32S_3;
+	break;
+    default:
+	errno = EINVAL;
+	return NULL;
+    }
+    
+    _cap_debug("%s", str);
+
+    for (;;) {
+	__u32 list[__CAP_BLKS];
+	char op;
+	int flags = 0, listed=0;
+
+	forceall(list, 0, __CAP_BLKS);
+
+	/* skip leading spaces */
+	while (isspace((unsigned char)*str))
+	    str++;
+	if (!*str) {
+	    _cap_debugcap("e = ", *res, CAP_EFFECTIVE);
+	    _cap_debugcap("i = ", *res, CAP_INHERITABLE);
+	    _cap_debugcap("p = ", *res, CAP_PERMITTED);
+
+	    return res;
+	}
+
+	/* identify caps specified by this clause */
+	if (isalnum((unsigned char)*str) || *str == '_') {
+	    for (;;) {
+		if (namcmp(str, "all")) {
+		    str += 3;
+		    forceall(list, ~0, cap_blks);
+		} else {
+		    n = lookupname(&str);
+		    if (n == -1)
+			goto bad;
+		    raise_cap_mask(list, n);
+		}
+		if (*str != ',')
+		    break;
+		if (!isalnum((unsigned char)*++str) && *str != '_')
+		    goto bad;
+	    }
+	    listed = 1;
+	} else if (*str == '+' || *str == '-') {
+	    goto bad;                    /* require a list of capabilities */
+	} else {
+	    forceall(list, ~0, cap_blks);
+	}
+
+	/* identify first operation on list of capabilities */
+	op = *str++;
+	if (op == '=' && (*str == '+' || *str == '-')) {
+	    if (!listed)
+		goto bad;
+	    op = (*str++ == '+' ? 'P':'M'); /* skip '=' and take next op */
+	} else if (op != '+' && op != '-' && op != '=')
+	    goto bad;
+
+	/* cycle through list of actions */
+	do {
+	    _cap_debug("next char = `%c'", *str);
+	    if (*str && !isspace(*str)) {
+		switch (*str++) {    /* Effective, Inheritable, Permitted */
+		case 'e':
+		    flags |= LIBCAP_EFF;
+		    break;
+		case 'i':
+		    flags |= LIBCAP_INH;
+		    break;
+		case 'p':
+		    flags |= LIBCAP_PER;
+		    break;
+		default:
+		    goto bad;
+		}
+	    } else if (op != '=') {
+		_cap_debug("only '=' can be followed by space");
+		goto bad;
+	    }
+
+	    _cap_debug("how to read?");
+	    switch (op) {               /* how do we interpret the caps? */
+	    case '=':
+	    case 'P':                                              /* =+ */
+	    case 'M':                                              /* =- */
+		clrbits(res, list, CAP_EFFECTIVE, cap_blks);
+		clrbits(res, list, CAP_PERMITTED, cap_blks);
+		clrbits(res, list, CAP_INHERITABLE, cap_blks);
+		if (op == 'M')
+		    goto minus;
+		/* fall through */
+	    case '+':
+		if (flags & LIBCAP_EFF)
+		    setbits(res, list, CAP_EFFECTIVE, cap_blks);
+		if (flags & LIBCAP_PER)
+		    setbits(res, list, CAP_PERMITTED, cap_blks);
+		if (flags & LIBCAP_INH)
+		    setbits(res, list, CAP_INHERITABLE, cap_blks);
+		break;
+	    case '-':
+	    minus:
+		if (flags & LIBCAP_EFF)
+		    clrbits(res, list, CAP_EFFECTIVE, cap_blks);
+		if (flags & LIBCAP_PER)
+		    clrbits(res, list, CAP_PERMITTED, cap_blks);
+		if (flags & LIBCAP_INH)
+		    clrbits(res, list, CAP_INHERITABLE, cap_blks);
+		break;
+	    }
+
+	    /* new directive? */
+	    if (*str == '+' || *str == '-') {
+		if (!listed) {
+		    _cap_debug("for + & - must list capabilities");
+		    goto bad;
+		}
+		flags = 0;                       /* reset the flags */
+		op = *str++;
+		if (!isalpha(*str))
+		    goto bad;
+	    }
+	} while (*str && !isspace(*str));
+	_cap_debug("next clause");
+    }
+
+bad:
+    cap_free(res);
+    res = NULL;
+    errno = EINVAL;
+    return res;
+}
+
+/*
+ * lookup a capability name and return its numerical value
+ */
+int cap_from_name(const char *name, cap_value_t *value_p)
+{
+    int n;
+
+    if (((n = lookupname(&name)) >= 0) && (value_p != NULL)) {
+	*value_p = (unsigned) n;
+    }
+    return -(n < 0);
+}
+
+/*
+ * Convert a single capability index number into a string representation
+ */
+char *cap_to_name(cap_value_t cap)
+{
+    if ((cap < 0) || (cap >= __CAP_BITS)) {
+#if UINT_MAX != 4294967295U
+# error Recompile with correctly sized numeric array
+#endif
+	char *tmp, *result;
+
+	asprintf(&tmp, "%u", cap);
+	result = _libcap_strdup(tmp);
+	free(tmp);
+
+	return result;
+    } else {
+	return _libcap_strdup(_cap_names[cap]);
+    }
+}
+
+/*
+ * Convert an internal representation to a textual one. The textual
+ * representation is stored in static memory. It will be overwritten
+ * on the next occasion that this function is called.
+ */
+
+static int getstateflags(cap_t caps, int capno)
+{
+    int f = 0;
+
+    if (isset_cap(caps, capno, CAP_EFFECTIVE)) {
+	f |= LIBCAP_EFF;
+    }
+    if (isset_cap(caps, capno, CAP_PERMITTED)) {
+	f |= LIBCAP_PER;
+    }
+    if (isset_cap(caps, capno, CAP_INHERITABLE)) {
+	f |= LIBCAP_INH;
+    }
+
+    return f;
+}
+
+#define CAP_TEXT_BUFFER_ZONE 100
+
+char *cap_to_text(cap_t caps, ssize_t *length_p)
+{
+    char buf[CAP_TEXT_SIZE+CAP_TEXT_BUFFER_ZONE];
+    char *p;
+    int histo[8];
+    int m, t;
+    unsigned n;
+    unsigned cap_maxbits, cap_blks;
+
+    /* Check arguments */
+    if (!good_cap_t(caps)) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    switch (caps->head.version) {
+    case _LINUX_CAPABILITY_VERSION_1:
+	cap_blks = _LINUX_CAPABILITY_U32S_1;
+	break;
+    case _LINUX_CAPABILITY_VERSION_2:
+	cap_blks = _LINUX_CAPABILITY_U32S_2;
+	break;
+    case _LINUX_CAPABILITY_VERSION_3:
+	cap_blks = _LINUX_CAPABILITY_U32S_3;
+	break;
+    default:
+	errno = EINVAL;
+	return NULL;
+    }
+
+    cap_maxbits = 32 * cap_blks;
+
+    _cap_debugcap("e = ", *caps, CAP_EFFECTIVE);
+    _cap_debugcap("i = ", *caps, CAP_INHERITABLE);
+    _cap_debugcap("p = ", *caps, CAP_PERMITTED);
+
+    memset(histo, 0, sizeof(histo));
+
+    /* default prevailing state to the upper - unnamed bits */
+    for (n = cap_maxbits-1; n > __CAP_BITS; n--)
+	histo[getstateflags(caps, n)]++;
+
+    /* find which combination of capability sets shares the most bits
+       we bias to preferring non-set (m=0) with the >= 0 test. Failing
+       to do this causes strange things to happen with older systems
+       that don't know about bits 32+. */
+    for (m=t=7; t--; )
+	if (histo[t] >= histo[m])
+	    m = t;
+
+    /* capture remaining bits - selecting m from only the unnamed bits,
+       we maximize the likelihood that we won't see numeric capability
+       values in the text output. */
+    while (n--)
+	histo[getstateflags(caps, n)]++;
+
+    /* blank is not a valid capability set */
+    p = sprintf(buf, "=%s%s%s",
+		(m & LIBCAP_EFF) ? "e" : "",
+		(m & LIBCAP_INH) ? "i" : "",
+		(m & LIBCAP_PER) ? "p" : "" ) + buf;
+
+    for (t = 8; t--; )
+	if (t != m && histo[t]) {
+	    *p++ = ' ';
+	    for (n = 0; n < cap_maxbits; n++)
+		if (getstateflags(caps, n) == t) {
+		    char *this_cap_name;
+
+		    this_cap_name = cap_to_name(n);
+		    if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) {
+			cap_free(this_cap_name);
+			errno = ERANGE;
+			return NULL;
+		    }
+		    p += sprintf(p, "%s,", this_cap_name);
+		    cap_free(this_cap_name);
+		}
+	    p--;
+	    n = t & ~m;
+	    if (n)
+		p += sprintf(p, "+%s%s%s",
+			     (n & LIBCAP_EFF) ? "e" : "",
+			     (n & LIBCAP_INH) ? "i" : "",
+			     (n & LIBCAP_PER) ? "p" : "");
+	    n = ~t & m;
+	    if (n)
+		p += sprintf(p, "-%s%s%s",
+			     (n & LIBCAP_EFF) ? "e" : "",
+			     (n & LIBCAP_INH) ? "i" : "",
+			     (n & LIBCAP_PER) ? "p" : "");
+	    if (p - buf > CAP_TEXT_SIZE) {
+		errno = ERANGE;
+		return NULL;
+	    }
+	}
+
+    _cap_debug("%s", buf);
+    if (length_p) {
+	*length_p = p - buf;
+    }
+
+    return (_libcap_strdup(buf));
+}
diff --git a/libcap-2.19/libcap/include/linux/capability.h b/libcap-2.19/libcap/include/linux/capability.h
new file mode 100644
index 0000000..39e5ff5
--- /dev/null
+++ b/libcap-2.19/libcap/include/linux/capability.h
@@ -0,0 +1,571 @@
+/*
+ * This is <linux/capability.h>
+ *
+ * Andrew G. Morgan <morgan@kernel.org>
+ * Alexander Kjeldaas <astor@guardian.no>
+ * with help from Aleph1, Roland Buresund and Andrew Main.
+ *
+ * See here for the libcap library ("POSIX draft" compliance):
+ *
+ * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
+ */
+
+#ifndef _LINUX_CAPABILITY_H
+#define _LINUX_CAPABILITY_H
+
+#include <linux/types.h>
+
+struct task_struct;
+
+/* User-level do most of the mapping between kernel and user
+   capabilities based on the version tag given by the kernel. The
+   kernel might be somewhat backwards compatible, but don't bet on
+   it. */
+
+/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
+   a set of three capability sets.  The transposition of 3*the
+   following structure to such a composite is better handled in a user
+   library since the draft standard requires the use of malloc/free
+   etc.. */
+
+#define _LINUX_CAPABILITY_VERSION_1  0x19980330
+#define _LINUX_CAPABILITY_U32S_1     1
+
+#define _LINUX_CAPABILITY_VERSION_2  0x20071026  /* deprecated - use v3 */
+#define _LINUX_CAPABILITY_U32S_2     2
+
+#define _LINUX_CAPABILITY_VERSION_3  0x20080522
+#define _LINUX_CAPABILITY_U32S_3     2
+
+typedef struct __user_cap_header_struct {
+	__u32 version;
+	int pid;
+} __user *cap_user_header_t;
+
+typedef struct __user_cap_data_struct {
+        __u32 effective;
+        __u32 permitted;
+        __u32 inheritable;
+} __user *cap_user_data_t;
+
+
+#define XATTR_CAPS_SUFFIX "capability"
+#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+
+#define VFS_CAP_REVISION_MASK	0xFF000000
+#define VFS_CAP_REVISION_SHIFT	24
+#define VFS_CAP_FLAGS_MASK	~VFS_CAP_REVISION_MASK
+#define VFS_CAP_FLAGS_EFFECTIVE	0x000001
+
+#define VFS_CAP_REVISION_1	0x01000000
+#define VFS_CAP_U32_1           1
+#define XATTR_CAPS_SZ_1         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
+
+#define VFS_CAP_REVISION_2	0x02000000
+#define VFS_CAP_U32_2           2
+#define XATTR_CAPS_SZ_2         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
+
+#define XATTR_CAPS_SZ           XATTR_CAPS_SZ_2
+#define VFS_CAP_U32             VFS_CAP_U32_2
+#define VFS_CAP_REVISION	VFS_CAP_REVISION_2
+
+struct vfs_cap_data {
+	__le32 magic_etc;            /* Little endian */
+	struct {
+		__le32 permitted;    /* Little endian */
+		__le32 inheritable;  /* Little endian */
+	} data[VFS_CAP_U32];
+};
+
+#ifndef __KERNEL__
+
+/*
+ * Backwardly compatible definition for source code - trapped in a
+ * 32-bit world. If you find you need this, please consider using
+ * libcap to untrap yourself...
+ */
+#define _LINUX_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
+#define _LINUX_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
+
+#else
+
+#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
+#define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3
+
+extern int file_caps_enabled;
+
+typedef struct kernel_cap_struct {
+	__u32 cap[_KERNEL_CAPABILITY_U32S];
+} kernel_cap_t;
+
+/* exact same as vfs_cap_data but in cpu endian and always filled completely */
+struct cpu_vfs_cap_data {
+	__u32 magic_etc;
+	kernel_cap_t permitted;
+	kernel_cap_t inheritable;
+};
+
+#define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))
+#define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))
+
+#endif
+
+
+/**
+ ** POSIX-draft defined capabilities.
+ **/
+
+/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
+   overrides the restriction of changing file ownership and group
+   ownership. */
+
+#define CAP_CHOWN            0
+
+/* Override all DAC access, including ACL execute access if
+   [_POSIX_ACL] is defined. Excluding DAC access covered by
+   CAP_LINUX_IMMUTABLE. */
+
+#define CAP_DAC_OVERRIDE     1
+
+/* Overrides all DAC restrictions regarding read and search on files
+   and directories, including ACL restrictions if [_POSIX_ACL] is
+   defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
+
+#define CAP_DAC_READ_SEARCH  2
+
+/* Overrides all restrictions about allowed operations on files, where
+   file owner ID must be equal to the user ID, except where CAP_FSETID
+   is applicable. It doesn't override MAC and DAC restrictions. */
+
+#define CAP_FOWNER           3
+
+/* Overrides the following restrictions that the effective user ID
+   shall match the file owner ID when setting the S_ISUID and S_ISGID
+   bits on that file; that the effective group ID (or one of the
+   supplementary group IDs) shall match the file owner ID when setting
+   the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
+   cleared on successful return from chown(2) (not implemented). */
+
+#define CAP_FSETID           4
+
+/* Overrides the restriction that the real or effective user ID of a
+   process sending a signal must match the real or effective user ID
+   of the process receiving the signal. */
+
+#define CAP_KILL             5
+
+/* Allows setgid(2) manipulation */
+/* Allows setgroups(2) */
+/* Allows forged gids on socket credentials passing. */
+
+#define CAP_SETGID           6
+
+/* Allows set*uid(2) manipulation (including fsuid). */
+/* Allows forged pids on socket credentials passing. */
+
+#define CAP_SETUID           7
+
+
+/**
+ ** Linux-specific capabilities
+ **/
+
+/* Without VFS support for capabilities:
+ *   Transfer any capability in your permitted set to any pid,
+ *   remove any capability in your permitted set from any pid
+ * With VFS support for capabilities (neither of above, but)
+ *   Add any capability from current's capability bounding set
+ *       to the current process' inheritable set
+ *   Allow taking bits out of capability bounding set
+ *   Allow modification of the securebits for a process
+ */
+
+#define CAP_SETPCAP          8
+
+/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
+
+#define CAP_LINUX_IMMUTABLE  9
+
+/* Allows binding to TCP/UDP sockets below 1024 */
+/* Allows binding to ATM VCIs below 32 */
+
+#define CAP_NET_BIND_SERVICE 10
+
+/* Allow broadcasting, listen to multicast */
+
+#define CAP_NET_BROADCAST    11
+
+/* Allow interface configuration */
+/* Allow administration of IP firewall, masquerading and accounting */
+/* Allow setting debug option on sockets */
+/* Allow modification of routing tables */
+/* Allow setting arbitrary process / process group ownership on
+   sockets */
+/* Allow binding to any address for transparent proxying */
+/* Allow setting TOS (type of service) */
+/* Allow setting promiscuous mode */
+/* Allow clearing driver statistics */
+/* Allow multicasting */
+/* Allow read/write of device-specific registers */
+/* Allow activation of ATM control sockets */
+
+#define CAP_NET_ADMIN        12
+
+/* Allow use of RAW sockets */
+/* Allow use of PACKET sockets */
+
+#define CAP_NET_RAW          13
+
+/* Allow locking of shared memory segments */
+/* Allow mlock and mlockall (which doesn't really have anything to do
+   with IPC) */
+
+#define CAP_IPC_LOCK         14
+
+/* Override IPC ownership checks */
+
+#define CAP_IPC_OWNER        15
+
+/* Insert and remove kernel modules - modify kernel without limit */
+#define CAP_SYS_MODULE       16
+
+/* Allow ioperm/iopl access */
+/* Allow sending USB messages to any device via /proc/bus/usb */
+
+#define CAP_SYS_RAWIO        17
+
+/* Allow use of chroot() */
+
+#define CAP_SYS_CHROOT       18
+
+/* Allow ptrace() of any process */
+
+#define CAP_SYS_PTRACE       19
+
+/* Allow configuration of process accounting */
+
+#define CAP_SYS_PACCT        20
+
+/* Allow configuration of the secure attention key */
+/* Allow administration of the random device */
+/* Allow examination and configuration of disk quotas */
+/* Allow configuring the kernel's syslog (printk behaviour) */
+/* Allow setting the domainname */
+/* Allow setting the hostname */
+/* Allow calling bdflush() */
+/* Allow mount() and umount(), setting up new smb connection */
+/* Allow some autofs root ioctls */
+/* Allow nfsservctl */
+/* Allow VM86_REQUEST_IRQ */
+/* Allow to read/write pci config on alpha */
+/* Allow irix_prctl on mips (setstacksize) */
+/* Allow flushing all cache on m68k (sys_cacheflush) */
+/* Allow removing semaphores */
+/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
+   and shared memory */
+/* Allow locking/unlocking of shared memory segment */
+/* Allow turning swap on/off */
+/* Allow forged pids on socket credentials passing */
+/* Allow setting readahead and flushing buffers on block devices */
+/* Allow setting geometry in floppy driver */
+/* Allow turning DMA on/off in xd driver */
+/* Allow administration of md devices (mostly the above, but some
+   extra ioctls) */
+/* Allow tuning the ide driver */
+/* Allow access to the nvram device */
+/* Allow administration of apm_bios, serial and bttv (TV) device */
+/* Allow manufacturer commands in isdn CAPI support driver */
+/* Allow reading non-standardized portions of pci configuration space */
+/* Allow DDI debug ioctl on sbpcd driver */
+/* Allow setting up serial ports */
+/* Allow sending raw qic-117 commands */
+/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
+   arbitrary SCSI commands */
+/* Allow setting encryption key on loopback filesystem */
+/* Allow setting zone reclaim policy */
+
+#define CAP_SYS_ADMIN        21
+
+/* Allow use of reboot() */
+
+#define CAP_SYS_BOOT         22
+
+/* Allow raising priority and setting priority on other (different
+   UID) processes */
+/* Allow use of FIFO and round-robin (realtime) scheduling on own
+   processes and setting the scheduling algorithm used by another
+   process. */
+/* Allow setting cpu affinity on other processes */
+
+#define CAP_SYS_NICE         23
+
+/* Override resource limits. Set resource limits. */
+/* Override quota limits. */
+/* Override reserved space on ext2 filesystem */
+/* Modify data journaling mode on ext3 filesystem (uses journaling
+   resources) */
+/* NOTE: ext2 honors fsuid when checking for resource overrides, so
+   you can override using fsuid too */
+/* Override size restrictions on IPC message queues */
+/* Allow more than 64hz interrupts from the real-time clock */
+/* Override max number of consoles on console allocation */
+/* Override max number of keymaps */
+
+#define CAP_SYS_RESOURCE     24
+
+/* Allow manipulation of system clock */
+/* Allow irix_stime on mips */
+/* Allow setting the real-time clock */
+
+#define CAP_SYS_TIME         25
+
+/* Allow configuration of tty devices */
+/* Allow vhangup() of tty */
+
+#define CAP_SYS_TTY_CONFIG   26
+
+/* Allow the privileged aspects of mknod() */
+
+#define CAP_MKNOD            27
+
+/* Allow taking of leases on files */
+
+#define CAP_LEASE            28
+
+#define CAP_AUDIT_WRITE      29
+
+#define CAP_AUDIT_CONTROL    30
+
+#define CAP_SETFCAP	     31
+
+/* Override MAC access.
+   The base kernel enforces no MAC policy.
+   An LSM may enforce a MAC policy, and if it does and it chooses
+   to implement capability based overrides of that policy, this is
+   the capability it should use to do so. */
+
+#define CAP_MAC_OVERRIDE     32
+
+/* Allow MAC configuration or state changes.
+   The base kernel requires no MAC configuration.
+   An LSM may enforce a MAC policy, and if it does and it chooses
+   to implement capability based checks on modifications to that
+   policy or the data required to maintain it, this is the
+   capability it should use to do so. */
+
+#define CAP_MAC_ADMIN        33
+
+#define CAP_LAST_CAP         CAP_MAC_ADMIN
+
+#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
+
+/*
+ * Bit location of each capability (used by user-space library and kernel)
+ */
+
+#define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
+#define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
+
+#ifdef __KERNEL__
+
+/*
+ * Internal kernel functions only
+ */
+
+#define CAP_FOR_EACH_U32(__capi)  \
+	for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
+
+/*
+ * CAP_FS_MASK and CAP_NFSD_MASKS:
+ *
+ * The fs mask is all the privileges that fsuid==0 historically meant.
+ * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
+ *
+ * It has never meant setting security.* and trusted.* xattrs.
+ *
+ * We could also define fsmask as follows:
+ *   1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
+ *   2. The security.* and trusted.* xattrs are fs-related MAC permissions
+ */
+
+# define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)		\
+			    | CAP_TO_MASK(CAP_MKNOD)		\
+			    | CAP_TO_MASK(CAP_DAC_OVERRIDE)	\
+			    | CAP_TO_MASK(CAP_DAC_READ_SEARCH)	\
+			    | CAP_TO_MASK(CAP_FOWNER)		\
+			    | CAP_TO_MASK(CAP_FSETID))
+
+# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
+
+#if _KERNEL_CAPABILITY_U32S != 2
+# error Fix up hand-coded capability macro initializers
+#else /* HAND-CODED capability initializers */
+
+# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
+# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
+# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
+# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+				    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
+				    CAP_FS_MASK_B1 } })
+# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
+				    | CAP_TO_MASK(CAP_SYS_RESOURCE), \
+				    CAP_FS_MASK_B1 } })
+
+#endif /* _KERNEL_CAPABILITY_U32S != 2 */
+
+#define CAP_INIT_INH_SET    CAP_EMPTY_SET
+
+# define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)
+# define cap_set_full(c)      do { (c) = __cap_full_set; } while (0)
+# define cap_set_init_eff(c)  do { (c) = __cap_init_eff_set; } while (0)
+
+#define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
+#define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
+#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
+
+#define CAP_BOP_ALL(c, a, b, OP)                                    \
+do {                                                                \
+	unsigned __capi;                                            \
+	CAP_FOR_EACH_U32(__capi) {                                  \
+		c.cap[__capi] = a.cap[__capi] OP b.cap[__capi];     \
+	}                                                           \
+} while (0)
+
+#define CAP_UOP_ALL(c, a, OP)                                       \
+do {                                                                \
+	unsigned __capi;                                            \
+	CAP_FOR_EACH_U32(__capi) {                                  \
+		c.cap[__capi] = OP a.cap[__capi];                   \
+	}                                                           \
+} while (0)
+
+static inline kernel_cap_t cap_combine(const kernel_cap_t a,
+				       const kernel_cap_t b)
+{
+	kernel_cap_t dest;
+	CAP_BOP_ALL(dest, a, b, |);
+	return dest;
+}
+
+static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
+					 const kernel_cap_t b)
+{
+	kernel_cap_t dest;
+	CAP_BOP_ALL(dest, a, b, &);
+	return dest;
+}
+
+static inline kernel_cap_t cap_drop(const kernel_cap_t a,
+				    const kernel_cap_t drop)
+{
+	kernel_cap_t dest;
+	CAP_BOP_ALL(dest, a, drop, &~);
+	return dest;
+}
+
+static inline kernel_cap_t cap_invert(const kernel_cap_t c)
+{
+	kernel_cap_t dest;
+	CAP_UOP_ALL(dest, c, ~);
+	return dest;
+}
+
+static inline int cap_isclear(const kernel_cap_t a)
+{
+	unsigned __capi;
+	CAP_FOR_EACH_U32(__capi) {
+		if (a.cap[__capi] != 0)
+			return 0;
+	}
+	return 1;
+}
+
+/*
+ * Check if "a" is a subset of "set".
+ * return 1 if ALL of the capabilities in "a" are also in "set"
+ *	cap_issubset(0101, 1111) will return 1
+ * return 0 if ANY of the capabilities in "a" are not in "set"
+ *	cap_issubset(1111, 0101) will return 0
+ */
+static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
+{
+	kernel_cap_t dest;
+	dest = cap_drop(a, set);
+	return cap_isclear(dest);
+}
+
+/* Used to decide between falling back on the old suser() or fsuser(). */
+
+static inline int cap_is_fs_cap(int cap)
+{
+	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+	return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
+}
+
+static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
+{
+	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+	return cap_drop(a, __cap_fs_set);
+}
+
+static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
+					    const kernel_cap_t permitted)
+{
+	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
+	return cap_combine(a,
+			   cap_intersect(permitted, __cap_fs_set));
+}
+
+static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
+{
+	const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
+	return cap_drop(a, __cap_fs_set);
+}
+
+static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
+					      const kernel_cap_t permitted)
+{
+	const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
+	return cap_combine(a,
+			   cap_intersect(permitted, __cap_nfsd_set));
+}
+
+extern const kernel_cap_t __cap_empty_set;
+extern const kernel_cap_t __cap_full_set;
+extern const kernel_cap_t __cap_init_eff_set;
+
+/**
+ * has_capability - Determine if a task has a superior capability available
+ * @t: The task in question
+ * @cap: The capability to be tested for
+ *
+ * Return true if the specified task has the given superior capability
+ * currently in effect, false if not.
+ *
+ * Note that this does not set PF_SUPERPRIV on the task.
+ */
+#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
+
+/**
+ * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
+ * @t: The task in question
+ * @cap: The capability to be tested for
+ *
+ * Return true if the specified task has the given superior capability
+ * currently in effect, false if not, but don't write an audit message for the
+ * check.
+ *
+ * Note that this does not set PF_SUPERPRIV on the task.
+ */
+#define has_capability_noaudit(t, cap) \
+	(security_real_capable_noaudit((t), (cap)) == 0)
+
+extern int capable(int cap);
+
+/* audit system wants to get cap info from files as well */
+struct dentry;
+extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
+
+#endif /* __KERNEL__ */
+
+#endif /* !_LINUX_CAPABILITY_H */
diff --git a/libcap-2.19/libcap/include/linux/prctl.h b/libcap-2.19/libcap/include/linux/prctl.h
new file mode 100644
index 0000000..a3baeb2
--- /dev/null
+++ b/libcap-2.19/libcap/include/linux/prctl.h
@@ -0,0 +1,105 @@
+#ifndef _LINUX_PRCTL_H
+#define _LINUX_PRCTL_H
+
+/* Values to pass as first argument to prctl() */
+
+#define PR_SET_PDEATHSIG  1  /* Second arg is a signal */
+#define PR_GET_PDEATHSIG  2  /* Second arg is a ptr to return the signal */
+
+/* Get/set current->mm->dumpable */
+#define PR_GET_DUMPABLE   3
+#define PR_SET_DUMPABLE   4
+
+/* Get/set unaligned access control bits (if meaningful) */
+#define PR_GET_UNALIGN	  5
+#define PR_SET_UNALIGN	  6
+# define PR_UNALIGN_NOPRINT	1	/* silently fix up unaligned user accesses */
+# define PR_UNALIGN_SIGBUS	2	/* generate SIGBUS on unaligned user access */
+
+/* Get/set whether or not to drop capabilities on setuid() away from
+ * uid 0 (as per security/commoncap.c) */
+#define PR_GET_KEEPCAPS   7
+#define PR_SET_KEEPCAPS   8
+
+/* Get/set floating-point emulation control bits (if meaningful) */
+#define PR_GET_FPEMU  9
+#define PR_SET_FPEMU 10
+# define PR_FPEMU_NOPRINT	1	/* silently emulate fp operations accesses */
+# define PR_FPEMU_SIGFPE	2	/* don't emulate fp operations, send SIGFPE instead */
+
+/* Get/set floating-point exception mode (if meaningful) */
+#define PR_GET_FPEXC	11
+#define PR_SET_FPEXC	12
+# define PR_FP_EXC_SW_ENABLE	0x80	/* Use FPEXC for FP exception enables */
+# define PR_FP_EXC_DIV		0x010000	/* floating point divide by zero */
+# define PR_FP_EXC_OVF		0x020000	/* floating point overflow */
+# define PR_FP_EXC_UND		0x040000	/* floating point underflow */
+# define PR_FP_EXC_RES		0x080000	/* floating point inexact result */
+# define PR_FP_EXC_INV		0x100000	/* floating point invalid operation */
+# define PR_FP_EXC_DISABLED	0	/* FP exceptions disabled */
+# define PR_FP_EXC_NONRECOV	1	/* async non-recoverable exc. mode */
+# define PR_FP_EXC_ASYNC	2	/* async recoverable exception mode */
+# define PR_FP_EXC_PRECISE	3	/* precise exception mode */
+
+/* Get/set whether we use statistical process timing or accurate timestamp
+ * based process timing */
+#define PR_GET_TIMING   13
+#define PR_SET_TIMING   14
+# define PR_TIMING_STATISTICAL  0       /* Normal, traditional,
+                                                   statistical process timing */
+# define PR_TIMING_TIMESTAMP    1       /* Accurate timestamp based
+                                                   process timing */
+
+#define PR_SET_NAME    15		/* Set process name */
+#define PR_GET_NAME    16		/* Get process name */
+
+/* Get/set process endian */
+#define PR_GET_ENDIAN	19
+#define PR_SET_ENDIAN	20
+# define PR_ENDIAN_BIG		0
+# define PR_ENDIAN_LITTLE	1	/* True little endian mode */
+# define PR_ENDIAN_PPC_LITTLE	2	/* "PowerPC" pseudo little endian */
+
+/* Get/set process seccomp mode */
+#define PR_GET_SECCOMP	21
+#define PR_SET_SECCOMP	22
+
+/* Get/set the capability bounding set (as per security/commoncap.c) */
+#define PR_CAPBSET_READ 23
+#define PR_CAPBSET_DROP 24
+
+/* Get/set the process' ability to use the timestamp counter instruction */
+#define PR_GET_TSC 25
+#define PR_SET_TSC 26
+# define PR_TSC_ENABLE		1	/* allow the use of the timestamp counter */
+# define PR_TSC_SIGSEGV		2	/* throw a SIGSEGV instead of reading the TSC */
+
+/* Get/set securebits (as per security/commoncap.c) */
+#define PR_GET_SECUREBITS 27
+#define PR_SET_SECUREBITS 28
+
+/*
+ * Get/set the timerslack as used by poll/select/nanosleep
+ * A value of 0 means "use default"
+ */
+#define PR_SET_TIMERSLACK 29
+#define PR_GET_TIMERSLACK 30
+
+#define PR_TASK_PERF_EVENTS_DISABLE		31
+#define PR_TASK_PERF_EVENTS_ENABLE		32
+
+/*
+ * Set early/late kill mode for hwpoison memory corruption.
+ * This influences when the process gets killed on a memory corruption.
+ */
+#define PR_MCE_KILL	33
+# define PR_MCE_KILL_CLEAR   0
+# define PR_MCE_KILL_SET     1
+
+# define PR_MCE_KILL_LATE    0
+# define PR_MCE_KILL_EARLY   1
+# define PR_MCE_KILL_DEFAULT 2
+
+#define PR_MCE_KILL_GET 34
+
+#endif /* _LINUX_PRCTL_H */
diff --git a/libcap-2.19/libcap/include/linux/securebits.h b/libcap-2.19/libcap/include/linux/securebits.h
new file mode 100644
index 0000000..3340617
--- /dev/null
+++ b/libcap-2.19/libcap/include/linux/securebits.h
@@ -0,0 +1,54 @@
+#ifndef _LINUX_SECUREBITS_H
+#define _LINUX_SECUREBITS_H 1
+
+/* Each securesetting is implemented using two bits. One bit specifies
+   whether the setting is on or off. The other bit specify whether the
+   setting is locked or not. A setting which is locked cannot be
+   changed from user-level. */
+#define issecure_mask(X)	(1 << (X))
+#ifdef __KERNEL__
+#define issecure(X)		(issecure_mask(X) & current_cred_xxx(securebits))
+#endif
+
+#define SECUREBITS_DEFAULT 0x00000000
+
+/* When set UID 0 has no special privileges. When unset, we support
+   inheritance of root-permissions and suid-root executable under
+   compatibility mode. We raise the effective and inheritable bitmasks
+   *of the executable file* if the effective uid of the new process is
+   0. If the real uid is 0, we raise the effective (legacy) bit of the
+   executable file. */
+#define SECURE_NOROOT			0
+#define SECURE_NOROOT_LOCKED		1  /* make bit-0 immutable */
+
+#define SECBIT_NOROOT		(issecure_mask(SECURE_NOROOT))
+#define SECBIT_NOROOT_LOCKED	(issecure_mask(SECURE_NOROOT_LOCKED))
+
+/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
+   When unset, to provide compatiblility with old programs relying on
+   set*uid to gain/lose privilege, transitions to/from uid 0 cause
+   capabilities to be gained/lost. */
+#define SECURE_NO_SETUID_FIXUP		2
+#define SECURE_NO_SETUID_FIXUP_LOCKED	3  /* make bit-2 immutable */
+
+#define SECBIT_NO_SETUID_FIXUP	(issecure_mask(SECURE_NO_SETUID_FIXUP))
+#define SECBIT_NO_SETUID_FIXUP_LOCKED \
+			(issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
+
+/* When set, a process can retain its capabilities even after
+   transitioning to a non-root user (the set-uid fixup suppressed by
+   bit 2). Bit-4 is cleared when a process calls exec(); setting both
+   bit 4 and 5 will create a barrier through exec that no exec()'d
+   child can use this feature again. */
+#define SECURE_KEEP_CAPS		4
+#define SECURE_KEEP_CAPS_LOCKED		5  /* make bit-4 immutable */
+
+#define SECBIT_KEEP_CAPS	(issecure_mask(SECURE_KEEP_CAPS))
+#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
+
+#define SECURE_ALL_BITS		(issecure_mask(SECURE_NOROOT) | \
+				 issecure_mask(SECURE_NO_SETUID_FIXUP) | \
+				 issecure_mask(SECURE_KEEP_CAPS))
+#define SECURE_ALL_LOCKS	(SECURE_ALL_BITS << 1)
+
+#endif /* !_LINUX_SECUREBITS_H */
diff --git a/libcap-2.19/libcap/include/sys/capability.h b/libcap-2.19/libcap/include/sys/capability.h
new file mode 100644
index 0000000..c749327
--- /dev/null
+++ b/libcap-2.19/libcap/include/sys/capability.h
@@ -0,0 +1,124 @@
+/*
+ * <sys/capability.h>
+ *
+ * Copyright (C) 1997   Aleph One
+ * Copyright (C) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * defunct POSIX.1e Standard: 25.2 Capabilities           <sys/capability.h>
+ */
+
+#ifndef _SYS_CAPABILITY_H
+#define _SYS_CAPABILITY_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This file complements the kernel file by providing prototype
+ * information for the user library.
+ */
+
+#include <sys/types.h>
+#include <stdint.h>
+#include <linux/types.h>
+
+/*
+ * Required to limit what gets defined in the kernel header file.
+ */
+#ifndef __user
+#define __user
+#endif
+#include <linux/capability.h>
+
+/*
+ * POSIX capability types
+ */
+
+/*
+ * Opaque capability handle (defined internally by libcap)
+ * internal capability representation
+ */
+typedef struct _cap_struct *cap_t;
+
+/* "external" capability representation is a (void *) */
+
+/*
+ * This is the type used to identify capabilities
+ */
+
+typedef int cap_value_t;
+
+/*
+ * Set identifiers
+ */
+typedef enum {
+    CAP_EFFECTIVE=0,                        /* Specifies the effective flag */
+    CAP_PERMITTED=1,                        /* Specifies the permitted flag */
+    CAP_INHERITABLE=2                     /* Specifies the inheritable flag */
+} cap_flag_t;
+
+/*
+ * These are the states available to each capability
+ */
+typedef enum {
+    CAP_CLEAR=0,                            /* The flag is cleared/disabled */
+    CAP_SET=1                                    /* The flag is set/enabled */
+} cap_flag_value_t;
+
+/*
+ * User-space capability manipulation routines
+ */
+
+/* libcap/cap_alloc.c */
+extern cap_t   cap_dup(cap_t);
+extern int     cap_free(void *);
+extern cap_t   cap_init(void);
+
+/* libcap/cap_flag.c */
+extern int     cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *);
+extern int     cap_set_flag(cap_t, cap_flag_t, int, const cap_value_t *,
+			    cap_flag_value_t);
+extern int     cap_clear(cap_t);
+extern int     cap_clear_flag(cap_t, cap_flag_t);
+
+/* libcap/cap_file.c */
+extern cap_t   cap_get_fd(int);
+extern cap_t   cap_get_file(const char *);
+extern int     cap_set_fd(int, cap_t);
+extern int     cap_set_file(const char *, cap_t);
+
+/* libcap/cap_proc.c */
+extern cap_t   cap_get_proc(void);
+extern cap_t   cap_get_pid(pid_t);
+extern int     cap_set_proc(cap_t);
+
+/* libcap/cap_extint.c */
+extern ssize_t cap_size(cap_t);
+extern ssize_t cap_copy_ext(void *, cap_t, ssize_t);
+extern cap_t   cap_copy_int(const void *);
+
+/* libcap/cap_text.c */
+extern cap_t   cap_from_text(const char *);
+extern char *  cap_to_text(cap_t, ssize_t *);
+extern int     cap_from_name(const char *, cap_value_t *);
+extern char *  cap_to_name(cap_value_t);
+
+#define CAP_DIFFERS(result, flag)  (((result) & (1 << (flag))) != 0)
+extern int     cap_compare(cap_t, cap_t);
+
+/* system calls - look to libc for function to system call mapping */
+extern int capset(cap_user_header_t header, cap_user_data_t data);
+extern int capget(cap_user_header_t header, const cap_user_data_t data);
+
+/* deprecated - use cap_get_pid() */
+extern int capgetp(pid_t pid, cap_t cap_d);
+
+/* not valid with filesystem capability support - use cap_set_proc() */
+extern int capsetp(pid_t pid, cap_t cap_d);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _SYS_CAPABILITY_H */
diff --git a/libcap-2.19/libcap/include/sys/securebits.h b/libcap-2.19/libcap/include/sys/securebits.h
new file mode 100644
index 0000000..14cf3c5
--- /dev/null
+++ b/libcap-2.19/libcap/include/sys/securebits.h
@@ -0,0 +1,22 @@
+/*
+ * <sys/securebits.h>
+ * Copyright (C) 2010	Serge Hallyn <serue@us.ibm.com>
+ */
+
+#ifndef _SYS_SECUREBITS_H
+#define _SYS_SECUREBITS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef __user
+#define __user
+#endif
+#include <linux/securebits.h>
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _SYS_SECUREBITS_H */
diff --git a/libcap-2.19/libcap/libcap.h b/libcap-2.19/libcap/libcap.h
new file mode 100644
index 0000000..1e66f98
--- /dev/null
+++ b/libcap-2.19/libcap/libcap.h
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 1997 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file contains internal definitions for the various functions in
+ * this small capability library.
+ */
+
+#ifndef LIBCAP_H
+#define LIBCAP_H
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/capability.h>
+
+#ifndef __u8
+#define __u8    unsigned char
+#endif /* __8 */
+
+#ifndef __u32
+#define __u32   unsigned int
+#endif /* __u32 */
+
+/* include the names for the caps and a definition of __CAP_BITS */
+#include "cap_names.h"
+
+#ifndef _LINUX_CAPABILITY_U32S_1
+# define _LINUX_CAPABILITY_U32S_1          1
+#endif /* ndef _LINUX_CAPABILITY_U32S */
+
+/*
+ * Do we match the local kernel?
+ */
+
+#if !defined(_LINUX_CAPABILITY_VERSION)
+
+# error Kernel <linux/capability.h> does not support library
+# error file "libcap.h" --> fix and recompile libcap
+
+#elif !defined(_LINUX_CAPABILITY_VERSION_2)
+
+# warning Kernel <linux/capability.h> does not support 64-bit capabilities
+# warning and libcap is being built with no support for 64-bit capabilities
+
+# ifndef _LINUX_CAPABILITY_VERSION_1
+#  define _LINUX_CAPABILITY_VERSION_1 0x19980330
+# endif
+
+# _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
+# _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
+
+#elif defined(_LINUX_CAPABILITY_VERSION_3)
+
+# if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522)
+#  error Kernel <linux/capability.h> v3 does not match library
+#  error file "libcap.h" --> fix and recompile libcap
+# else
+#  define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_3
+#  define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_3
+# endif
+
+#elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026)
+
+# error Kernel <linux/capability.h> does not match library
+# error file "libcap.h" --> fix and recompile libcap
+
+#else
+
+# define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_2
+# define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_2
+
+#endif
+
+#undef _LINUX_CAPABILITY_VERSION
+#undef _LINUX_CAPABILITY_U32S
+
+/*
+ * This is a pointer to a struct containing three consecutive
+ * capability sets in the order of the cap_flag_t type: the are
+ * effective,inheritable and permitted.  This is the type that the
+ * user-space routines think of as 'internal' capabilities - this is
+ * the type that is passed to the kernel with the system calls related
+ * to processes.
+ */
+
+#if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32)
+# define VFS_CAP_U32_1                   1
+# define XATTR_CAPS_SZ_1                 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
+# define VFS_CAP_U32                     VFS_CAP_U32_1
+struct _cap_vfs_cap_data {
+    __le32 magic_etc;
+    struct {
+	__le32 permitted;
+	__le32 inheritable;
+    } data[VFS_CAP_U32_1];
+};
+# define vfs_cap_data                    _cap_vfs_cap_data
+#endif
+
+#ifndef CAP_TO_INDEX
+# define CAP_TO_INDEX(x)     ((x) >> 5)  /* 1 << 5 == bits in __u32 */
+#endif /* ndef CAP_TO_INDEX */
+
+#ifndef CAP_TO_MASK
+# define CAP_TO_MASK(x)      (1 << ((x) & 31))
+#endif /* ndef CAP_TO_MASK */
+
+#define NUMBER_OF_CAP_SETS      3   /* effective, inheritable, permitted */
+#define __CAP_BLKS   (_LIBCAP_CAPABILITY_U32S)
+#define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32))
+
+#define CAP_T_MAGIC 0xCA90D0
+struct _cap_struct {
+    struct __user_cap_header_struct head;
+    union {
+	struct __user_cap_data_struct set;
+	__u32 flat[NUMBER_OF_CAP_SETS];
+    } u[_LIBCAP_CAPABILITY_U32S];
+};
+
+/* the maximum bits supportable */
+#define __CAP_MAXBITS (__CAP_BLKS * 32)
+
+/* string magic for cap_free */
+#define CAP_S_MAGIC 0xCA95D0
+
+/*
+ * kernel API cap set abstraction
+ */
+
+#define raise_cap(x,set)   u[(x)>>5].flat[set]       |=  (1<<((x)&31))
+#define lower_cap(x,set)   u[(x)>>5].flat[set]       &= ~(1<<((x)&31))
+#define isset_cap(y,x,set) ((y)->u[(x)>>5].flat[set] &   (1<<((x)&31)))
+
+/*
+ * Private definitions for internal use by the library.
+ */
+
+#define __libcap_check_magic(c,magic) ((c) && *(-1+(__u32 *)(c)) == (magic))
+#define good_cap_t(c)        __libcap_check_magic(c, CAP_T_MAGIC)
+#define good_cap_string(c)   __libcap_check_magic(c, CAP_S_MAGIC)
+
+/*
+ * These match CAP_DIFFERS() expectations
+ */
+#define LIBCAP_EFF   (1 << CAP_EFFECTIVE)
+#define LIBCAP_INH   (1 << CAP_INHERITABLE)
+#define LIBCAP_PER   (1 << CAP_PERMITTED)
+
+/*
+ * library debugging
+ */
+#ifdef DEBUG
+
+#include <stdio.h>
+# define _cap_debug(f, x...)  do { \
+    fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \
+    fprintf(stderr, f, ## x); \
+    fprintf(stderr, "\n"); \
+} while (0)
+
+# define _cap_debugcap(s, c, set) do { \
+    unsigned _cap_index; \
+    fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \
+    for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \
+       fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \
+    } \
+    fprintf(stderr, "\n"); \
+} while (0)
+
+#else /* !DEBUG */
+
+# define _cap_debug(f, x...)
+# define _cap_debugcap(s, c, set)
+
+#endif /* DEBUG */
+
+extern char *_libcap_strdup(const char *text);
+
+/*
+ * These are semi-public prototypes, they will only be defined in
+ * <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we
+ * place them here too.
+ */
+
+extern int capset(cap_user_header_t header, cap_user_data_t data);
+extern int capget(cap_user_header_t header, const cap_user_data_t data);
+extern int capgetp(pid_t pid, cap_t cap_d);
+extern int capsetp(pid_t pid, cap_t cap_d);
+
+/* prctl based API for altering character of current process */
+#define PR_GET_KEEPCAPS    7
+#define PR_SET_KEEPCAPS    8
+#define PR_CAPBSET_READ   23
+#define PR_CAPBSET_DROP   24
+#define PR_GET_SECUREBITS 27
+#define PR_SET_SECUREBITS 28
+
+#endif /* LIBCAP_H */
diff --git a/libcap-2.19/pam_cap/License b/libcap-2.19/pam_cap/License
new file mode 100644
index 0000000..e88aa3f
--- /dev/null
+++ b/libcap-2.19/pam_cap/License
@@ -0,0 +1,41 @@
+Unless otherwise *explicitly* stated the following text describes the
+licensed conditions under which the contents of this module release
+may be distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of this module, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+   notice, and this entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+   copyright notices, this list of conditions, and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+   products derived from this software without their specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU Library General Public License, in which case the provisions of
+the GNU LGPL are required INSTEAD OF the above restrictions.  (This
+clause is necessary due to a potential conflict between the GNU LGPL
+and the restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
diff --git a/libcap-2.19/pam_cap/Makefile b/libcap-2.19/pam_cap/Makefile
new file mode 100644
index 0000000..eae88ed
--- /dev/null
+++ b/libcap-2.19/pam_cap/Makefile
@@ -0,0 +1,26 @@
+# simple make file for the pam_cap module
+
+topdir=$(shell pwd)/..
+include ../Make.Rules
+
+LDLIBS += -lcap
+CFLAGS += -fPIC
+
+all: pam_cap.so
+	$(MAKE) testcompile
+
+install: all
+	mkdir -p -m 0755 $(LIBDIR)/security
+	install -m 0755 pam_cap.so $(LIBDIR)/security
+
+pam_cap.so: pam_cap.o
+	$(LD) $(LDFLAGS) -o pam_cap.so $< $(LDLIBS)
+
+pam_cap.o: pam_cap.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+testcompile: test.c pam_cap.o
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $+ -lpam -ldl $(LDLIBS)
+
+clean:
+	rm -f *.o *.so testcompile *~
diff --git a/libcap-2.19/pam_cap/capability.conf b/libcap-2.19/pam_cap/capability.conf
new file mode 100644
index 0000000..0685b2e
--- /dev/null
+++ b/libcap-2.19/pam_cap/capability.conf
@@ -0,0 +1,29 @@
+#
+# /etc/security/capability.conf
+#
+# this is a sample capability file (to be used in conjunction with
+# the pam_cap.so module)
+#
+# In order to use this module, it must have been linked with libcap
+# and thus you'll know about Linux's capability support.
+# [If you don't know about libcap, the sources for it are here:
+#
+#   http://linux.kernel.org/pub/linux/libs/security/linux-privs/
+#
+# .]
+#
+# Here are some sample lines (remove the preceding '#' if you want to
+# use them
+
+## user 'morgan' gets the CAP_SETFCAP inheritable capability
+#cap_setfcap		morgan
+
+## user 'luser' inherits the CAP_DAC_OVERRIDE capability
+#cap_dac_override	luser
+
+## 'everyone else' gets no inheritable capabilities
+none  *
+
+## if there is no '*' entry, all users not explicitly mentioned will
+## get all available capabilities. This is a permissive default, and
+## probably not what you want...
diff --git a/libcap-2.19/pam_cap/pam_cap.c b/libcap-2.19/pam_cap/pam_cap.c
new file mode 100644
index 0000000..e6ebbe9
--- /dev/null
+++ b/libcap-2.19/pam_cap/pam_cap.c
@@ -0,0 +1,310 @@
+/*
+ * Copyright (c) 1999,2007 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * The purpose of this module is to enforce inheritable capability sets
+ * for a specified user.
+ */
+
+/* #define DEBUG */
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <sys/capability.h>
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+#define USER_CAP_FILE           "/etc/security/capability.conf"
+#define CAP_FILE_BUFFER_SIZE    4096
+#define CAP_FILE_DELIMITERS     " \t\n"
+#define CAP_COMBINED_FORMAT     "%s all-i %s+i"
+#define CAP_DROP_ALL            "%s all-i"
+
+struct pam_cap_s {
+    int debug;
+    const char *user;
+    const char *conf_filename;
+};
+
+/* obtain the inheritable capabilities for the current user */
+
+static char *read_capabilities_for_user(const char *user, const char *source)
+{
+    char *cap_string = NULL;
+    char buffer[CAP_FILE_BUFFER_SIZE], *line;
+    FILE *cap_file;
+
+    cap_file = fopen(source, "r");
+    if (cap_file == NULL) {
+	D(("failed to open capability file"));
+	return NULL;
+    }
+
+    while ((line = fgets(buffer, CAP_FILE_BUFFER_SIZE, cap_file))) {
+	int found_one = 0;
+	const char *cap_text;
+
+	cap_text = strtok(line, CAP_FILE_DELIMITERS);
+
+	if (cap_text == NULL) {
+	    D(("empty line"));
+	    continue;
+	}
+	if (*cap_text == '#') {
+	    D(("comment line"));
+	    continue;
+	}
+
+	while ((line = strtok(NULL, CAP_FILE_DELIMITERS))) {
+
+	    if (strcmp("*", line) == 0) {
+		D(("wildcard matched"));
+		found_one = 1;
+		cap_string = strdup(cap_text);
+		break;
+	    }
+
+	    if (strcmp(user, line) == 0) {
+		D(("exact match for user"));
+		found_one = 1;
+		cap_string = strdup(cap_text);
+		break;
+	    }
+
+	    D(("user is not [%s] - skipping", line));
+	}
+
+	cap_text = NULL;
+	line = NULL;
+
+	if (found_one) {
+	    D(("user [%s] matched - caps are [%s]", user, cap_string));
+	    break;
+	}
+    }
+
+    fclose(cap_file);
+
+    memset(buffer, 0, CAP_FILE_BUFFER_SIZE);
+
+    return cap_string;
+}
+
+/*
+ * Set capabilities for current process to match the current
+ * permitted+executable sets combined with the configured inheritable
+ * set.
+ */
+
+static int set_capabilities(struct pam_cap_s *cs)
+{
+    cap_t cap_s;
+    ssize_t length = 0;
+    char *conf_icaps;
+    char *proc_epcaps;
+    char *combined_caps;
+    int ok = 0;
+
+    cap_s = cap_get_proc();
+    if (cap_s == NULL) {
+	D(("your kernel is capability challenged - upgrade: %s",
+	   strerror(errno)));
+	return 0;
+    }
+
+    conf_icaps =
+	read_capabilities_for_user(cs->user,
+				   cs->conf_filename
+				   ? cs->conf_filename:USER_CAP_FILE );
+    if (conf_icaps == NULL) {
+	D(("no capabilities found for user [%s]", cs->user));
+	goto cleanup_cap_s;
+    }
+
+    proc_epcaps = cap_to_text(cap_s, &length);
+    if (proc_epcaps == NULL) {
+	D(("unable to convert process capabilities to text"));
+	goto cleanup_icaps;
+    }
+
+    /*
+     * This is a pretty inefficient way to combine
+     * capabilities. However, it seems to be the most straightforward
+     * one, given the limitations of the POSIX.1e draft spec. The spec
+     * is optimized for applications that know the capabilities they
+     * want to manipulate at compile time.
+     */
+
+    combined_caps = malloc(1+strlen(CAP_COMBINED_FORMAT)
+			   +strlen(proc_epcaps)+strlen(conf_icaps));
+    if (combined_caps == NULL) {
+	D(("unable to combine capabilities into one string - no memory"));
+	goto cleanup_epcaps;
+    }
+
+    if (!strcmp(conf_icaps, "none")) {
+	sprintf(combined_caps, CAP_DROP_ALL, proc_epcaps);
+    } else if (!strcmp(conf_icaps, "all")) {
+	/* no change */
+	sprintf(combined_caps, "%s", proc_epcaps);
+    } else {
+	sprintf(combined_caps, CAP_COMBINED_FORMAT, proc_epcaps, conf_icaps);
+    }
+    D(("combined_caps=[%s]", combined_caps));
+
+    cap_free(cap_s);
+    cap_s = cap_from_text(combined_caps);
+    _pam_overwrite(combined_caps);
+    _pam_drop(combined_caps);
+
+#ifdef DEBUG
+    {
+        char *temp = cap_to_text(cap_s, NULL);
+	D(("abbreviated caps for process will be [%s]", temp));
+	cap_free(temp);
+    }
+#endif /* DEBUG */
+
+    if (cap_s == NULL) {
+	D(("no capabilies to set"));
+    } else if (cap_set_proc(cap_s) == 0) {
+	D(("capabilities were set correctly"));
+	ok = 1;
+    } else {
+	D(("failed to set specified capabilities: %s", strerror(errno)));
+    }
+
+cleanup_epcaps:
+    cap_free(proc_epcaps);
+
+cleanup_icaps:
+    _pam_overwrite(conf_icaps);
+    _pam_drop(conf_icaps);
+
+cleanup_cap_s:
+    if (cap_s) {
+	cap_free(cap_s);
+	cap_s = NULL;
+    }
+
+    return ok;
+}
+
+/* log errors */
+
+static void _pam_log(int err, const char *format, ...)
+{
+    va_list args;
+
+    va_start(args, format);
+    openlog("pam_cap", LOG_CONS|LOG_PID, LOG_AUTH);
+    vsyslog(err, format, args);
+    va_end(args);
+    closelog();
+}
+
+static void parse_args(int argc, const char **argv, struct pam_cap_s *pcs)
+{
+    int ctrl=0;
+
+    /* step through arguments */
+    for (ctrl=0; argc-- > 0; ++argv) {
+
+	if (!strcmp(*argv, "debug")) {
+	    pcs->debug = 1;
+	} else if (!memcmp(*argv, "config=", 7)) {
+	    pcs->conf_filename = 7 + *argv;
+	} else {
+	    _pam_log(LOG_ERR, "unknown option; %s", *argv);
+	}
+
+    }
+}
+
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
+			int argc, const char **argv)
+{
+    int retval;
+    struct pam_cap_s pcs;
+    char *conf_icaps;
+
+    memset(&pcs, 0, sizeof(pcs));
+
+    parse_args(argc, argv, &pcs);
+
+    retval = pam_get_user(pamh, &pcs.user, NULL);
+
+    if (retval == PAM_CONV_AGAIN) {
+	D(("user conversation is not available yet"));
+	memset(&pcs, 0, sizeof(pcs));
+	return PAM_INCOMPLETE;
+    }
+
+    if (retval != PAM_SUCCESS) {
+	D(("pam_get_user failed: %s", pam_strerror(pamh, retval)));
+	memset(&pcs, 0, sizeof(pcs));
+	return PAM_AUTH_ERR;
+    }
+
+    conf_icaps =
+	read_capabilities_for_user(pcs.user,
+				   pcs.conf_filename
+				   ? pcs.conf_filename:USER_CAP_FILE );
+
+    memset(&pcs, 0, sizeof(pcs));
+
+    if (conf_icaps) {
+	D(("it appears that there are capabilities for this user [%s]",
+	   conf_icaps));
+
+	/* We could also store this as a pam_[gs]et_data item for use
+	   by the setcred call to follow. As it is, there is a small
+	   race associated with a redundant read. Oh well, if you
+	   care, send me a patch.. */
+
+	_pam_overwrite(conf_icaps);
+	_pam_drop(conf_icaps);
+
+	return PAM_SUCCESS;
+
+    } else {
+
+	D(("there are no capabilities restrctions on this user"));
+	return PAM_IGNORE;
+
+    }
+}
+
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
+		   int argc, const char **argv)
+{
+    int retval;
+    struct pam_cap_s pcs;
+
+    if (!(flags & PAM_ESTABLISH_CRED)) {
+	D(("we don't handle much in the way of credentials"));
+	return PAM_IGNORE;
+    }
+
+    memset(&pcs, 0, sizeof(pcs));
+
+    parse_args(argc, argv, &pcs);
+
+    retval = pam_get_item(pamh, PAM_USER, (const void **)&pcs.user);
+    if ((retval != PAM_SUCCESS) || (pcs.user == NULL) || !(pcs.user[0])) {
+
+	D(("user's name is not set"));
+	return PAM_AUTH_ERR;
+    }
+
+    retval = set_capabilities(&pcs);
+
+    memset(&pcs, 0, sizeof(pcs));
+
+    return (retval ? PAM_SUCCESS:PAM_IGNORE );
+}
diff --git a/libcap-2.19/pam_cap/test.c b/libcap-2.19/pam_cap/test.c
new file mode 100644
index 0000000..5150ba5
--- /dev/null
+++ b/libcap-2.19/pam_cap/test.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <security/pam_modules.h>
+
+int main(int argc, char **argv)
+{
+    if (pam_sm_authenticate(NULL, 0, 0, NULL) != PAM_SUCCESS) {
+	printf("failed to authenticate\n");
+	exit(1);
+    }
+    exit(0);
+}
diff --git a/libcap-2.19/pgp.keys.asc b/libcap-2.19/pgp.keys.asc
new file mode 100644
index 0000000..583accd
--- /dev/null
+++ b/libcap-2.19/pgp.keys.asc
@@ -0,0 +1,154 @@
+
+pub  1024D/D41A6DF2 2002-09-23 Andrew G. Morgan <morgan@kernel.org>
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBD2PVCcRBADmR2dfKJIaGj120v0EjrGbnYic8nKCrDLUHmtiZyIlMeTNqnw/
+/Q2m057SIyFC5K5W7XV8LIsOcpEBAdIS5QLClwec/wqVj1FU5TLHNifR9fBq+DaI
+tyMH+LX/HUo4xPaJ5KnE62/3M/SyUx/S69RURfRdDsC+9ucKZkW9mnRiUwCgm18E
++aUKNBKGyqHaNK+n50jxW0ED/2epmE6porj12MyTlTvmxHuq7SSqgzTP8KoNoOE4
+mtZnYAkopb8uksBo4yj4abfBZNiVXEttc+XpwhnRODfy576wVy/lmDMTFAz7CYw8
+5Qmsf9HZXyAS+XovscbYYAWq11BycqHzVNqOevMZPX4Om7+rHBcIPI6pCd3ouPlW
+ObE5A/oDWXC35DcgFdmgVH2qr5COEvrDs9T5w4UdRXBMj2khE+32rdP0qqGYCW13
+by84+Cpoekmg+6/FqL/At0Xl2a87czur5xR9mrDd32iknws0DggEuf+zL3Twt9kA
+ftnqgiGr33iaNeXwgqfgQYMbxruLvjaAOayKPhr+tgJU6bIpWbQkQW5kcmV3IEcu
+IE1vcmdhbiA8bW9yZ2FuQGtlcm5lbC5vcmc+iFcEExECABcFAj2PVCcFCwcKAwQD
+FQMCAxYCAQIXgAAKCRBCF4Sr1Bpt8u+VAJ958HbiLmhrpWjAauN9GrtKudijkACf
+R2XasdjQs2ECc2qMX19QwNohDAc=
+=7XTB
+-----END PGP PUBLIC KEY BLOCK-----
+
+
+The following is my DSA key 'D41A6DF2' signed with my old '2A398175'
+RSA key.
+
+-----BEGIN PGP MESSAGE-----
+Version: 2.6.3a
+
+owF9k82L42QAxmccVjFzUNjbHLQLHlbDTJq0aZuRAd+8+WgmaZqkTZtWWchHk6Zt
+vpOmGcT1A1zm5EVZPXhQYW972IMHFVxQPK14UNjLICKiexBkEQQ9iI7zB/hcf4eH
+B57f6dY7O5e2jt76ab/58Db7HPVasb3NvLvzT/5G44+H1uSpW0/fffDih3Dv9+uv
+/ka/9Nh3n/h865FH0Qd1/f7Ny4/jg28/uPJ9tvvRjTdPrz1z+vVnyf4t50T95vmr
+/gtninr/q7NP56+8/4Xb/tlJl9d/vXNj9+bnly6/vHX2p56urvwQ/3j3y92Pt/eO
+3w57h3vO7O+/tn+5dw17HT555/bOe9YTQZR6ZrjPNHHQYjhi6zz7/4VmeUGuKbxS
+U3RaEmBNZCc1WupD8QIjo1ma+VF4WOPDQuFra/ygftCqXeVlHZP8sNg8i8AoCGZh
+fljjorTmh25Uy2az2jzP40MMK8vywAuL2Ds470eQQOV9miGUEbQ1GjCBRjiueCyY
+/AIn6us6u0h5K5z4dicUYcpIejfI/WklrHqzoZyEJYZgKhHUyfZAqDhIiuS4bYw6
+kpD17ZilgSMMSFWCq3JmY2UyWuCcTg6lruy7GuXSCcqYApJXvS4qGVhXj5obxTwm
+xZBtEVijhw0qfYMNWpSma67mMBlEqcIWp8sxFYSar5fQC/AOi6CmLsq0yFdJ15RF
+NCTri824zjIYMYsDthVH6fmWXjVcDdfBplsk7cEg8U6GSkeM5KjPNpEgn4YTsIxi
+q1MsMzpqVoumabn0VPZHBpvnNmrE5TzU+oxbke1WOaqwVcD0hhw4acNJ2UFINchc
+qjs1KjBAjWid2dZkAsYJjtOVnXRPRnLSn617U8Vo9oM2mnZpW1CEVgydRlQoqzHS
+t1gSYBEzNmCDZGyPcwJv1CWSlIR9dp0yGTUky6buaAbdWxDLOYs2iNRR6knCT+AY
+byBW1WmiMI5my8BDWxiXSBjI68aKMDtt+6RIyY1GBSnjNAh/GZZZnfE8tnDRE6kx
+LHNqCRA3DxPP59NGwzflmVF6ieupk561SQtpvTBB36xEZZ6iuXestywhHlvqUh2T
+SzsYNQTWLhCBxdd24MwtH3SsMVVNCa5Q+XxlB+TKguQ5s1Gfs1l2w0JA2xxYXJyO
+g6UtglJlEE7tQbCZQKAKhgeACDUacs1BitNx3inQETimyE7X8qVgnsbjBTALmeLT
+XCwcf7EE0EU0wjAzZ6FmBAttIukZOKWWcjRngH2EHLWNIY1cGMTKzP/o9S8=
+=cdkf
+-----END PGP MESSAGE-----
+
+Type Bits/KeyID    Date       User ID
+pub  1024/2A398175 1996/11/17 Andrew G. Morgan <morgan@linux.kernel.org>
+                              Andrew G. Morgan <morgan@transmeta.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3a
+
+mQCNAzKOhJ4AAAEEAJ9xYnZSD1kYanF+8GUBhHf/gx6hGd8ZNmS5qIC8Qb8rMcTI
++E16nV+FnNRlPRbShITYjq1TPvVK8gTliZf41N9LRQZw0rywRt1NQyhdfKgDWYxB
+kSOwK67oDjkzzC56XS2rrGI6K3Rz/VtYElRyuQ6ZyaKTGcgU/TTwrUUqOYF1AAUR
+tCpBbmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5AbGludXgua2VybmVsLm9yZz6JAJUD
+BRA2iFK0NPCtRSo5gXUBAalqA/9s3Hx8BUESiC9PpL88KSVe3ENoO0ogAuMDK3vj
+k2a17Twxi92Dc/NPXr8ewEKF/h1GiRetLBVPGaSVC+602+2cr5SHqzUzAeyF2Xa6
+VAxCskxkAssTxIW7nyAMWaOB5A/1xm3YChawVQx3XIvbIp+HXHDNr/60COtlGm7I
+IcHftbQnQW5kcmV3IEcuIE1vcmdhbiA8bW9yZ2FuQHRyYW5zbWV0YS5jb20+iQCV
+AwUQNohVmTTwrUUqOYF1AQEgWwP+K94N0OO+I2A7lnP5Jp7O+kfMJCFxPZOeozrq
+O8uKsAs03ekS+kDJ3p2ec65BOzZyweHEu1HtOtdZbXsN3zynLKBwJrvvaHBQpAqv
+BrjfNsl9a+NFmfa4fmdPWTzCaG2rmFlaQvZ6FP7QrHXB/1+VlH0gJ90FOgAd3Qyp
+4hhW9g8=
+=qQJI
+-----END PGP PUBLIC KEY BLOCK-----
+
+Type Bits/KeyID    Date       User ID
+pub  1024/4536A8DD 1996/01/28 Michael K. Johnson <johnsonm@redhat.com>
+                              Michael K. Johnson <johnsonm@nigel.vnet.net>
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3a
+
+mQCNAzEK0l0AAAEEAMWweYcS6ov1RISP6E7lb3vgQOrmhBy6S/8zkuHo92IkQWXm
+V9AcMUY/eJPRJH6yI6o1ZKN4InT4uCkSIQOd2C8XyeIK5jFhpmP9DhoucacNL5H7
+oCV4wtFGhUDaDl9VeTtbWLSMESxJ4T/fL/IfkW95/Q2dF7zIDid5aW9FNqjdAAUR
+tChNaWNoYWVsIEsuIEpvaG5zb24gPGpvaG5zb25tQHJlZGhhdC5jb20+iQCVAwUQ
+MuqeiDTwrUUqOYF1AQEjywP/bCWLybbZSI8plyUSWD3yxwjsE+8BiOPGRu1AARUz
+GbVZq9LqPDyjFtH9DqgXULyZtCAk8ebZonH/h/0EnZTi4tiZg3BHKXhIlWQnNz4D
+QRdtUEmMNQzi9+3mU99CBGigsrDQnNrnI88ejo/0YY3gdt6752g5HAvY13h9A0ZP
+MFWJAJUDBRAxgAouJ3lpb0U2qN0BActVA/9vgBOUheUpLPiIry/+2qqJv+e+LnHw
+DgZqROpli9bhJ4wfb1sXPYkFzchR8BUeU0NY6HvAwxEilSNPE1yQoaJuy8POtTuu
+aFO4wvuLp0v5LuatXaU8EsncwjrBsWqRB6Dqd+jyq24Pjx0YKNSRJxceiBE8SBDW
+HESAhYTYCBLy77QsTWljaGFlbCBLLiBKb2huc29uIDxqb2huc29ubUBuaWdlbC52
+bmV0Lm5ldD6JAJUDBRAxGljWe01Ojay67k0BAf3qA/48N9OvgGk9nNR+Pg6aW3rK
+2Dy8t2RQdFGd4b7gBtZeXUAklq9ppYZtS+cXFHoQ8d7K8XBjHh+rgF2oOSBQUrQf
+eb8XkKSZQxB7DZVdi1gAsOzSwCrn4TWSSKc28P4Mjuj1Jr2f1FGST1+cGIl7JbhV
+kLGjmvOIgs7lS8FE0Hhm/4kAlQMFEDEWclxEcVNogr/H7QEBN1QD/1iY+KYQyOTz
+fgaBsx+Bt11kstmOlYhXx23yK2etG0p8XCD2r3aojGOTR/e3o2bLiJo4xe+iMhOM
+dvdSzxSPGQ20wX3jGJaRrRiSClFTQbZSelGG0FcOGfM3mL5zeHaXzRcRciK3VDkD
+IFzTQ3J5NJVBIVlAkxTMIxho758lR2SjiQCVAwUQMREqFnoDqzGe1QXFAQFdpAP/
+VPPoYO50seo1rLL28AA2PVKqo6BJwj0ZMsC14MDJEKryBbj/E4Ma25uSlzBjj+t9
+rbygoz0XWUQMLh8XPAEps3nE3n8FWROsdlucGzGiDGKVEygLPzCsjR7aGEspN1Y7
+4qOZPxbpGG7B5exOLur4ACY75m6oBh+PN+Q1liCIYXKJAJUDBRAxDpk1iGe2nxKR
+G10BAeQjBACmx4DyJacQXxuckDaKMTXa8v2Q7lQpPDyHdn1oAUsx1mrbSL55v2AI
+Q0riFWcFRTERpjAToCLgQjK1pKpmJcduiXURj6TPVKd88hYkuCIpn2hIaI7SCkd8
+HZlfFiuaxVN29UbbzHv3C+mseydpkPRrovqmOSuj2xAGFALo6Vl9U4kAlQMFEDEN
+eD5EFXDNRmtCiQEBRmoEAJAuyY0F5hbweDOdeAhxLWeiTl9jGwQYDS3T5B5/9ZpC
+bJ1yX7Pk2o7LvR9tg/Ji5sfMMvIpH48DNT4kyjmmChFXCUBccwd+33ugdTcYDwLR
+Cdt7k9r2yXz1LEH+lVNKOEIhuIq8/sX61hvFR7+qSABthTLrvvynycD5n2pG3F7L
+=aGjw
+-----END PGP PUBLIC KEY BLOCK-----
+
+Type Bits/KeyID    Date       User ID
+pub  1024/D4F4D901 1997/03/05 Cristian Gafton <gafton@sorosis.ro>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3a
+
+mQCNAzMdU6sAAAEEAKLF73rRJ3RUtl+y4bLUOVOV7ataJ46ZHxDZeGAVi+/suwT9
+Kq7QdaeFc4Xwaq8PVWv7pZ4/qTwHUkdbjBVeLt+KOlprvKuadyAh9aG/SqmKkEvA
+hCS3yZDwNmeSLO7VIN5ko1nIwVD4kPJvS3xX6kn6jd4mvv/qGfGvxKXU9NkBAAUR
+tCNDcmlzdGlhbiBHYWZ0b24gPGdhZnRvbkBzb3Jvc2lzLnJvPokAlQMFEDMeTlI0
+8K1FKjmBdQEBmgQD/02JxAU6+fiaBKwRIFDdsLYTy8mPgYaoul9RIX450W5D5nY/
+/696F6TfmFUzvnrvTbZUDyLxHB0mnh4SrdKRKo57i7RDrdx3Mqlt/xP4R6nHwFed
+yTMvz3KB9tYuWfC1fJp69/VRIkMrw448zKkgqHUnAKxMIHvXnV3M9jd6lXSYiQCV
+AwUQMx1Tq/GvxKXU9NkBAQE3/gP/RZMe59OkBWS4whc9c6eac6zwcC/hNc1vyiZ5
+2TEHJ10PgtNtHchD7j3xsDO17/DGEZB23OQiPAeLdqnBr+y2uiSlQfYdpVHBHX3A
+uX3onc69LpEHmUAJAVOvfU1scnDtOH/KeVN3nwc6PWLxzLWzXfUbwLNK+LiPMNMV
+1qygu+s=
+=J4G2
+-----END PGP PUBLIC KEY BLOCK-----
+
+Type Bits/KeyID    Date       User ID
+pub  1024/A5D75B79 1997/03/01 Andrey V. Savochkin <saw@msu.ru>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.3a
+
+mQCNAzMYf1MAAAEEAK1S5jgmWnn8IS9mKoSpXu87f2soQhVZ3XdvsBCK2V7BojlU
+0+JJrK+2gMH5tavyFsQ6cKch6I4xH54cS4P4tNE9M7OtfoXOxejtp9U9KZio8T0X
+gM8qOS4fTQEfmdHSA5ETe5Vv+WPZ+/3SCo5kD1uIUUwppHDgJH+l396l11t5AAUR
+tCBBbmRyZXkgVi4gU2F2b2Noa2luIDxzYXdAbXN1LnJ1PokAlQMFEDaIUh008K1F
+KjmBdQEBFtkD/38mraXdr4aEYC6lxlG3cF+59XB6FjyBYhtwgNshpI2mB5XLr25p
+f4jMFNUqnY/bGjXWKwbNguzJ0ukD8TgOg1ZXQZztRso1t1Y2M1KPbwlqj8ib1bZG
+inQO/eqLrVwFH6F9CTiF0Fgy7faAIHN6BfE0o8earrcIwjT7sxRej3lziQCVAwUQ
+M35653fqPT1smcpJAQHeqgQAlXMOru6Rz1TkslVrWD0n7dvBUHQxs0HS1pcWJnZJ
+6kcYMLSA2RBi1fRabwzuOtzK60tOmfmnD7btcGBMMflOtfSulEg/xKNw2awEsNQK
+ULEIBsvrpMr0UN4hWkxTggDXaykg7rQqgrbAsicoLuTtPDIbc+yhQcFEVGJiPO/I
+tqiJAJUDBRAzfnUef89/VVw/1FkBAQ2lA/9q6FQM4RZzp75qxZ7jqAwUy9RFAKhp
+L63YFJX3i1JsUjNoO51pjj5pEAxVVQsorqbdsmpC2aOUTf1AufEcs1kLojb3tc19
+MhXPyHTJs66QqWutdP/yOW+CLzmILAsbEgI6O+toVZ0rHVXjEtRgKUnYReHLrlYj
+RKlBnkVc3NtPcIkAlQMFEDMYf1N/pd/epddbeQEBfKYD/3x/PkH2e+Cy7YXsfwxb
+y/n+6eNIbfakSYjkwN5tDOeaKhdQKUJBKVwAzD2yrLmMDx6uW+FUOTucb6Anau6R
+iKrAJq/a4DcpAeymo7cAthVU7en7HWwebQcL4wZGao1BJI+ulynki4sIqkfbGP83
+DK775eovl5X195ZkE/wNJvoi
+=V5TY
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/libcap-2.19/progs/Makefile b/libcap-2.19/progs/Makefile
new file mode 100644
index 0000000..a1542dc
--- /dev/null
+++ b/libcap-2.19/progs/Makefile
@@ -0,0 +1,35 @@
+
+topdir=$(shell pwd)/..
+include $(topdir)/Make.Rules
+#
+# Programs: all of the examples that we will compile
+#
+PROGS=getpcaps capsh
+ifeq ($(LIBATTR),yes)
+PROGS += getcap setcap
+endif
+
+BUILD=$(PROGS)
+
+ifneq ($(DYNAMIC),yes)
+LDFLAGS += --static
+endif
+LDLIBS += -lcap
+
+all: $(BUILD)
+
+$(BUILD): %: %.o
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS)
+
+%.o: %.c $(INCS)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+install: all
+	mkdir -p -m 0755 $(SBINDIR)
+	for p in $(PROGS) ; do \
+		install -m 0755 $$p $(SBINDIR) ; \
+	done
+
+clean:
+	$(LOCALCLEAN)
+	rm -f *.o $(BUILD) tcapsh ping hack.sh
diff --git a/libcap-2.19/progs/capsh.c b/libcap-2.19/progs/capsh.c
new file mode 100644
index 0000000..9645807
--- /dev/null
+++ b/libcap-2.19/progs/capsh.c
@@ -0,0 +1,563 @@
+/*
+ * Copyright (c) 2008 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * This is a simple 'bash' wrapper program that can be used to
+ * raise and lower both the bset and pI capabilities before invoking
+ * /bin/bash (hardcoded right now).
+ *
+ * The --print option can be used as a quick test whether various
+ * capability manipulations work as expected (or not).
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/prctl.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+#include <errno.h>
+#include <ctype.h>
+#include <sys/capability.h>
+#include <sys/securebits.h>
+#include <sys/wait.h>
+#include <sys/prctl.h>
+
+#define MAX_GROUPS       100   /* max number of supplementary groups for user */
+
+static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
+static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
+
+static char *binary(unsigned long value)
+{
+    static char string[8*sizeof(unsigned long) + 1];
+    unsigned i;
+
+    i = sizeof(string);
+    string[--i] = '\0';
+    do {
+	string[--i] = (value & 1) ? '1' : '0';
+	value >>= 1;
+    } while ((i > 0) && value);
+    return string + i;
+}
+
+int main(int argc, char *argv[], char *envp[])
+{
+    pid_t child;
+    unsigned i;
+
+    child = 0;
+
+    for (i=1; i<argc; ++i) {
+	if (!memcmp("--drop=", argv[i], 4)) {
+	    char *ptr;
+	    cap_t orig, raised_for_setpcap;
+
+	    /*
+	     * We need to do this here because --inh=XXX may have reset
+	     * orig and it isn't until we are within the --drop code that
+	     * we know what the prevailing (orig) pI value is.
+	     */
+	    orig = cap_get_proc();
+	    if (orig == NULL) {
+		perror("Capabilities not available");
+		exit(1);
+	    }
+
+	    raised_for_setpcap = cap_dup(orig);
+	    if (raised_for_setpcap == NULL) {
+		fprintf(stderr, "BSET modification requires CAP_SETPCAP\n");
+		exit(1);
+	    }
+
+	    if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
+			     raise_setpcap, CAP_SET) != 0) {
+		perror("unable to select CAP_SETPCAP");
+		exit(1);
+	    }
+
+	    if (strcmp("all", argv[i]+7) == 0) {
+		unsigned j = 0;
+		while (prctl(PR_CAPBSET_READ, j) >= 0) {
+		    if (prctl(PR_CAPBSET_DROP, j) != 0) {
+			fprintf(stderr,
+				"Unable to drop bounding capability [%s]\n",
+				cap_to_name(j));
+			exit(1);
+		    }
+		    j++;
+		}
+	    } else {
+		for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) {
+		    /* find name for token */
+		    cap_value_t cap;
+		    int status;
+
+		    if (cap_from_name(ptr, &cap) != 0) {
+			fprintf(stderr,
+				"capability [%s] is unknown to libcap\n",
+				ptr);
+			exit(1);
+		    }
+		    if (cap_set_proc(raised_for_setpcap) != 0) {
+			perror("unable to raise CAP_SETPCAP for BSET changes");
+			exit(1);
+		    }
+		    status = prctl(PR_CAPBSET_DROP, cap);
+		    if (cap_set_proc(orig) != 0) {
+			perror("unable to lower CAP_SETPCAP post BSET change");
+			exit(1);
+		    }
+		    if (status) {
+			fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap);
+			exit(1);
+		    }
+		}
+	    }
+	    cap_free(raised_for_setpcap);
+	    cap_free(orig);
+	} else if (!memcmp("--inh=", argv[i], 6)) {
+	    cap_t all, raised_for_setpcap;
+	    char *text;
+	    char *ptr;
+
+	    all = cap_get_proc();
+	    if (all == NULL) {
+		perror("Capabilities not available");
+		exit(1);
+	    }
+	    if (cap_clear_flag(all, CAP_INHERITABLE) != 0) {
+		perror("libcap:cap_clear_flag() internal error");
+		exit(1);
+	    }
+
+	    raised_for_setpcap = cap_dup(all);
+	    if ((raised_for_setpcap != NULL)
+		&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
+				 raise_setpcap, CAP_SET) != 0)) {
+		cap_free(raised_for_setpcap);
+		raised_for_setpcap = NULL;
+	    }
+
+	    text = cap_to_text(all, NULL);
+	    cap_free(all);
+	    if (text == NULL) {
+		perror("Fatal error concerning process capabilities");
+		exit(1);
+	    }
+	    ptr = malloc(10 + strlen(argv[i]+6) + strlen(text));
+	    if (ptr == NULL) {
+		perror("Out of memory for inh set");
+		exit(1);
+	    }
+	    sprintf(ptr, "%s %s+i", text, argv[i]+6);
+
+	    all = cap_from_text(ptr);
+	    if (all == NULL) {
+		perror("Fatal error internalizing capabilities");
+		exit(1);
+	    }
+	    cap_free(text);
+	    free(ptr);
+
+	    if (raised_for_setpcap != NULL) {
+		/*
+		 * This is only for the case that pP does not contain
+		 * the requested change to pI.. Failing here is not
+		 * indicative of the cap_set_proc(all) failing (always).
+		 */
+		(void) cap_set_proc(raised_for_setpcap);
+		cap_free(raised_for_setpcap);
+		raised_for_setpcap = NULL;
+	    }
+
+	    if (cap_set_proc(all) != 0) {
+		perror("Unable to set inheritable capabilities");
+		exit(1);
+	    }
+	    /*
+	     * Since status is based on orig, we don't want to restore
+	     * the previous value of 'all' again here!
+	     */
+
+	    cap_free(all);
+	} else if (!memcmp("--caps=", argv[i], 7)) {
+	    cap_t all, raised_for_setpcap;
+
+	    raised_for_setpcap = cap_get_proc();
+	    if (raised_for_setpcap == NULL) {
+		perror("Capabilities not available");
+		exit(1);
+	    }
+
+	    if ((raised_for_setpcap != NULL)
+		&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
+				 raise_setpcap, CAP_SET) != 0)) {
+		cap_free(raised_for_setpcap);
+		raised_for_setpcap = NULL;
+	    }
+
+	    all = cap_from_text(argv[i]+7);
+	    if (all == NULL) {
+		fprintf(stderr, "unable to interpret [%s]\n", argv[i]);
+		exit(1);
+	    }
+
+	    if (raised_for_setpcap != NULL) {
+		/*
+		 * This is only for the case that pP does not contain
+		 * the requested change to pI.. Failing here is not
+		 * indicative of the cap_set_proc(all) failing (always).
+		 */
+		(void) cap_set_proc(raised_for_setpcap);
+		cap_free(raised_for_setpcap);
+		raised_for_setpcap = NULL;
+	    }
+
+	    if (cap_set_proc(all) != 0) {
+		fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]);
+		exit(1);
+	    }
+	    /*
+	     * Since status is based on orig, we don't want to restore
+	     * the previous value of 'all' again here!
+	     */
+
+	    cap_free(all);
+	} else if (!memcmp("--keep=", argv[i], 7)) {
+	    unsigned value;
+	    int set;
+
+	    value = strtoul(argv[i]+7, NULL, 0);
+	    set = prctl(PR_SET_KEEPCAPS, value);
+	    if (set < 0) {
+		fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
+			value, strerror(errno));
+		exit(1);
+	    }
+	} else if (!memcmp("--chroot=", argv[i], 9)) {
+	    int status;
+	    cap_t orig, raised_for_chroot;
+
+	    orig = cap_get_proc();
+	    if (orig == NULL) {
+		perror("Capabilities not available");
+		exit(1);
+	    }
+
+	    raised_for_chroot = cap_dup(orig);
+	    if (raised_for_chroot == NULL) {
+		perror("Unable to duplicate capabilities");
+		exit(1);
+	    }
+
+	    if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot,
+			     CAP_SET) != 0) {
+		perror("unable to select CAP_SET_SYS_CHROOT");
+		exit(1);
+	    }
+
+	    if (cap_set_proc(raised_for_chroot) != 0) {
+		perror("unable to raise CAP_SYS_CHROOT");
+		exit(1);
+	    }
+	    cap_free(raised_for_chroot);
+
+	    status = chroot(argv[i]+9);
+	    if (cap_set_proc(orig) != 0) {
+		perror("unable to lower CAP_SYS_CHROOT");
+		exit(1);
+	    }
+	    cap_free(orig);
+
+	    if (status != 0) {
+		fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
+		exit(1);
+	    }
+	} else if (!memcmp("--secbits=", argv[i], 10)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+10, NULL, 0);
+	    status = prctl(PR_SET_SECUREBITS, value);
+	    if (status < 0) {
+		fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
+			value, value);
+		exit(1);
+	    }
+	} else if (!memcmp("--forkfor=", argv[i], 10)) {
+	    unsigned value;
+
+	    value = strtoul(argv[i]+10, NULL, 0);
+	    if (value == 0) {
+		goto usage;
+	    }
+	    child = fork();
+	    if (child < 0) {
+		perror("unable to fork()");
+	    } else if (!child) {
+		sleep(value);
+		exit(0);
+	    }
+	} else if (!memcmp("--killit=", argv[i], 9)) {
+	    int retval, status;
+	    pid_t result;
+	    unsigned value;
+
+	    value = strtoul(argv[i]+9, NULL, 0);
+	    if (!child) {
+		fprintf(stderr, "no forked process to kill\n");
+		exit(1);
+	    }
+	    retval = kill(child, value);
+	    if (retval != 0) {
+		perror("Unable to kill child process");
+		exit(1);
+	    }
+	    result = waitpid(child, &status, 0);
+	    if (result != child) {
+		fprintf(stderr, "waitpid didn't match child: %u != %u\n",
+			child, result);
+		exit(1);
+	    }
+	    if (WTERMSIG(status) != value) {
+		fprintf(stderr, "child terminated with odd signal (%d != %d)\n"
+			, value, WTERMSIG(status));
+		exit(1);
+	    }
+	} else if (!memcmp("--uid=", argv[i], 6)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+6, NULL, 0);
+	    status = setuid(value);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set uid=%u: %s\n",
+			value, strerror(errno));
+		exit(1);
+	    }
+	} else if (!memcmp("--gid=", argv[i], 6)) {
+	    unsigned value;
+	    int status;
+
+	    value = strtoul(argv[i]+6, NULL, 0);
+	    status = setgid(value);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set gid=%u: %s\n",
+			value, strerror(errno));
+		exit(1);
+	    }
+        } else if (!memcmp("--groups=", argv[i], 9)) {
+	  char *ptr, *buf;
+	  long length, max_groups;
+	  gid_t *group_list;
+	  int g_count;
+
+	  length = sysconf(_SC_GETGR_R_SIZE_MAX);
+	  buf = calloc(1, length);
+	  if (NULL == buf) {
+	    fprintf(stderr, "No memory for [%s] operation\n", argv[i]);
+	    exit(1);
+	  }
+
+	  max_groups = sysconf(_SC_NGROUPS_MAX);
+	  group_list = calloc(max_groups, sizeof(gid_t));
+	  if (NULL == group_list) {
+	    fprintf(stderr, "No memory for gid list\n");
+	    exit(1);
+	  }
+
+	  g_count = 0;
+	  for (ptr = argv[i] + 9; (ptr = strtok(ptr, ","));
+	       ptr = NULL, g_count++) {
+	    if (max_groups <= g_count) {
+	      fprintf(stderr, "Too many groups specified (%d)\n", g_count);
+	      exit(1);
+	    }
+	    if (!isdigit(*ptr)) {
+	      struct group *g, grp;
+	      getgrnam_r(ptr, &grp, buf, length, &g);
+	      if (NULL == g) {
+		fprintf(stderr, "Failed to identify gid for group [%s]\n", ptr);
+		exit(1);
+	      }
+	      group_list[g_count] = g->gr_gid;
+	    } else {
+	      group_list[g_count] = strtoul(ptr, NULL, 0);
+	    }
+	  }
+	  free(buf);
+	  if (setgroups(g_count, group_list) != 0) {
+	    fprintf(stderr, "Failed to setgroups.\n");
+	    exit(1);
+	  }
+	  free(group_list);
+	} else if (!memcmp("--user=", argv[i], 7)) {
+	    struct passwd *pwd;
+	    const char *user;
+	    gid_t groups[MAX_GROUPS];
+	    int status, ngroups;
+
+	    user = argv[i] + 7;
+	    pwd = getpwnam(user);
+	    if (pwd == NULL) {
+	      fprintf(stderr, "User [%s] not known\n", user);
+	      exit(1);
+	    }
+	    ngroups = MAX_GROUPS;
+	    status = getgrouplist(user, pwd->pw_gid, groups, &ngroups);
+	    if (status < 1) {
+	      perror("Unable to get group list for user");
+	      exit(1);
+	    }
+	    status = setgroups(ngroups, groups);
+	    if (status != 0) {
+	      perror("Unable to set group list for user");
+	      exit(1);
+	    }
+	    status = setgid(pwd->pw_gid);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set gid=%u(user=%s): %s\n",
+			pwd->pw_gid, user, strerror(errno));
+		exit(1);
+	    }
+	    status = setuid(pwd->pw_uid);
+	    if (status < 0) {
+		fprintf(stderr, "Failed to set uid=%u(user=%s): %s\n",
+			pwd->pw_uid, user, strerror(errno));
+		exit(1);
+	    }
+	} else if (!memcmp("--decode=", argv[i], 9)) {
+	    unsigned long long value;
+	    unsigned cap;
+	    const char *sep = "";
+
+	    /* Note, if capabilities become longer than 64-bits we'll need
+	       to fixup the following code.. */
+	    value = strtoull(argv[i]+9, NULL, 16);
+	    printf("0x%016llx=", value);
+
+	    for (cap=0; (cap < 64) && (value >> cap); ++cap) {
+		if (value & (1ULL << cap)) {
+		    const char *ptr;
+
+		    ptr = cap_to_name(cap);
+		    if (ptr != NULL) {
+			printf("%s%s", sep, ptr);
+		    } else {
+			printf("%s%u", sep, cap);
+		    }
+		    sep = ",";
+		}
+	    }
+	    printf("\n");
+	} else if (!strcmp("--print", argv[i])) {
+	    unsigned cap;
+	    int set, status, j;
+	    cap_t all;
+	    char *text;
+	    const char *sep;
+	    struct group *g;
+	    gid_t groups[MAX_GROUPS], gid;
+	    uid_t uid;
+	    struct passwd *u;
+
+	    all = cap_get_proc();
+	    text = cap_to_text(all, NULL);
+	    printf("Current: %s\n", text);
+	    cap_free(text);
+	    cap_free(all);
+
+	    printf("Bounding set =");
+ 	    sep = "";
+	    for (cap=0; (set = prctl(PR_CAPBSET_READ, cap)) >= 0; cap++) {
+		const char *ptr;
+		if (!set) {
+		    continue;
+		}
+
+		ptr = cap_to_name(cap);
+		if (ptr == 0) {
+		    printf("%s%u", sep, cap);
+		} else {
+		    printf("%s%s", sep, ptr);
+		}
+		sep = ",";
+	    }
+	    printf("\n");
+	    set = prctl(PR_GET_SECUREBITS);
+	    if (set >= 0) {
+		const char *b;
+		b = binary(set);  /* use verilog convention for binary string */
+		printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, strlen(b), b);
+		printf(" secure-noroot: %s (%s)\n",
+		       (set & 1) ? "yes":"no",
+		       (set & 2) ? "locked":"unlocked");
+		printf(" secure-no-suid-fixup: %s (%s)\n",
+		       (set & 4) ? "yes":"no",
+		       (set & 8) ? "locked":"unlocked");
+		printf(" secure-keep-caps: %s (%s)\n",
+		       (set & 16) ? "yes":"no",
+		       (set & 32) ? "locked":"unlocked");
+	    } else {
+		printf("[Securebits ABI not supported]\n");
+		set = prctl(PR_GET_KEEPCAPS);
+		if (set >= 0) {
+		    printf(" prctl-keep-caps: %s (locking not supported)\n",
+			   set ? "yes":"no");
+		} else {
+		    printf("[Keepcaps ABI not supported]\n");
+		}
+	    }
+	    uid = getuid();
+	    u = getpwuid(uid);
+	    printf("uid=%u(%s)\n", getuid(), u ? u->pw_name : "???");
+	    gid = getgid();
+	    g = getgrgid(gid);
+	    printf("gid=%u(%s)\n", gid, g ? g->gr_name : "???");
+	    printf("groups=");
+	    status = getgroups(MAX_GROUPS, groups);
+	    sep = "";
+	    for (j=0; j < status; j++) {
+		g = getgrgid(groups[j]);
+		printf("%s%u(%s)", sep, groups[j], g ? g->gr_name : "???");
+		sep = ",";
+	    }
+	    printf("\n");
+	} else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) {
+	    argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]);
+	    argv[argc] = NULL;
+	    execve(argv[i], argv+i, envp);
+	    fprintf(stderr, "execve /bin/bash failed!\n");
+	    exit(1);
+	} else {
+	usage:
+	    printf("usage: %s [args ...]\n"
+		   "  --help         this message (or try 'man capsh')\n"
+		   "  --print        display capability relevant state\n"
+		   "  --decode=xxx   decode a hex string to a list of caps\n"
+		   "  --drop=xxx     remove xxx,.. capabilities from bset\n"
+		   "  --caps=xxx     set caps as per cap_from_text()\n"
+		   "  --inh=xxx      set xxx,.. inheritiable set\n"
+		   "  --secbits=<n>  write a new value for securebits\n"
+		   "  --keep=<n>     set keep-capabability bit to <n>\n"
+		   "  --uid=<n>      set uid to <n> (hint: id <username>)\n"
+		   "  --gid=<n>      set gid to <n> (hint: id <username>)\n"
+		   "  --groups=g,... set the supplemental groups\n"
+                   "  --user=<name>  set uid,gid and groups to that of user\n"
+		   "  --chroot=path  chroot(2) to this path\n"
+		   "  --killit=<n>   send signal(n) to child\n"
+		   "  --forkfor=<n>  fork and make child sleep for <n> sec\n"
+		   "  ==             re-exec(capsh) with args as for --\n"
+		   "  --             remaing arguments are for /bin/bash\n"
+		   "                 (without -- [%s] will simply exit(0))\n",
+		   argv[0], argv[0]);
+
+	    exit(strcmp("--help", argv[i]) != 0);
+	}
+    }
+
+    exit(0);
+}
diff --git a/libcap-2.19/progs/getcap.c b/libcap-2.19/progs/getcap.c
new file mode 100644
index 0000000..f6debc0
--- /dev/null
+++ b/libcap-2.19/progs/getcap.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 1997,2007 Andrew G. Morgan  <morgan@kernel.org>
+ *
+ * This displays the capabilities of a given file.
+ */
+
+#define _XOPEN_SOURCE 500
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/capability.h>
+
+#include <ftw.h>
+
+static int verbose = 0;
+static int recursive = 0;
+
+static void usage(void)
+{
+    fprintf(stderr,
+	    "usage: getcap [-v] [-r] [-h] <filename> [<filename> ...]\n"
+	    "\n"
+	    "\tdisplays the capabilities on the queried file(s).\n"
+	);
+    exit(1);
+}
+
+static int do_getcap(const char *fname, const struct stat *stbuf,
+		     int tflag, struct FTW* ftwbuf)
+{
+    cap_t cap_d;
+    char *result;
+
+    if (tflag != FTW_F) {
+	if (verbose) {
+	    printf("%s (Not a regular file)\n", fname);
+	}
+	return 0;
+    }
+
+    cap_d = cap_get_file(fname);
+    if (cap_d == NULL) {
+	if (errno != ENODATA) {
+	    fprintf(stderr, "Failed to get capabilities of file `%s' (%s)\n",
+		    fname, strerror(errno));
+	} else if (verbose) {
+	    printf("%s\n", fname);
+	}
+	return 0;
+    }
+
+    result = cap_to_text(cap_d, NULL);
+    if (!result) {
+	fprintf(stderr,
+		"Failed to get capabilities of human readable format at `%s' (%s)\n",
+		fname, strerror(errno));
+	cap_free(cap_d);
+	return 0;
+    }
+    printf("%s %s\n", fname, result);
+    cap_free(cap_d);
+    cap_free(result);
+
+    return 0;
+}
+
+int main(int argc, char **argv)
+{
+    int i, c;
+
+    while ((c = getopt(argc, argv, "rvh")) > 0) {
+	switch(c) {
+	case 'r':
+	    recursive = 1;
+	    break;
+	case 'v':
+	    verbose = 1;
+	    break;
+	default:
+	    usage();
+	}
+    }
+
+    if (!argv[optind])
+	usage();
+
+    for (i=optind; argv[i] != NULL; i++) {
+	struct stat stbuf;
+
+	if (lstat(argv[i], &stbuf) != 0) {
+	    fprintf(stderr, "%s (%s)\n", argv[i], strerror(errno));
+	} else if (recursive) {
+	    nftw(argv[i], do_getcap, 20, FTW_PHYS);
+	} else {
+	    int tflag = S_ISREG(stbuf.st_mode) ? FTW_F :
+		(S_ISLNK(stbuf.st_mode) ? FTW_SL : FTW_NS);
+	    do_getcap(argv[i], &stbuf, tflag, 0);
+	}
+    }
+
+    return 0;
+}
diff --git a/libcap-2.19/progs/getpcaps.c b/libcap-2.19/progs/getpcaps.c
new file mode 100644
index 0000000..e405a92
--- /dev/null
+++ b/libcap-2.19/progs/getpcaps.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1997,2008 Andrew G. Morgan  <morgan@kernel.org>
+ *
+ * This displays the capabilities of given target process(es).
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/capability.h>
+
+static void usage(void)
+{
+    fprintf(stderr,
+"usage: getcaps <pid> [<pid> ...]\n\n"
+"  This program displays the capabilities on the queried process(es).\n"
+"  The capabilities are displayed in the cap_from_text(3) format.\n\n"
+"[Copyright (c) 1997-8,2007 Andrew G. Morgan  <morgan@kernel.org>]\n"
+	);
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    int retval = 0;
+
+    if (argc < 2) {
+	usage();
+    }
+
+    for ( ++argv; --argc > 0; ++argv ) {
+	ssize_t length;
+	int pid;
+	cap_t cap_d;
+
+	pid = atoi(argv[0]);
+
+	cap_d = cap_get_pid(pid);
+	if (cap_d == NULL) {
+		fprintf(stderr, "Failed to get cap's for proccess %d:"
+			" (%s)\n", pid, strerror(errno));
+		retval = 1;
+		continue;
+	} else {
+	    char *result = cap_to_text(cap_d, &length);
+	    fprintf(stderr, "Capabilities for `%s': %s\n", *argv, result);
+	    cap_free(result);
+	    result = NULL;
+	    cap_free(cap_d);
+	}
+    }
+
+    return retval;
+}
diff --git a/libcap-2.19/progs/old/README b/libcap-2.19/progs/old/README
new file mode 100644
index 0000000..75741d3
--- /dev/null
+++ b/libcap-2.19/progs/old/README
@@ -0,0 +1 @@
+these files are not relevant to this release
diff --git a/libcap-2.19/progs/old/execcap.c b/libcap-2.19/progs/old/execcap.c
new file mode 100644
index 0000000..330cc93
--- /dev/null
+++ b/libcap-2.19/progs/old/execcap.c
@@ -0,0 +1,68 @@
+/*
+ * This was written by Andrew G. Morgan <morgan@kernel.org>
+ *
+ * This is a program that is intended to exec a subsequent program.
+ * The purpose of this 'execcap' wrapper is to limit the inheritable
+ * capabilities of the exec()'d program.  All environment variables
+ * are inherited.
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#include <sys/capability.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+
+static void usage(void)
+{
+    fprintf(stderr,
+"usage: execcap <caps> <command-path> [command-args...]\n\n"
+"  This program is a wrapper that can be used to limit the Inheritable\n"
+"  capabilities of a program to be executed.  Note, this wrapper is\n"
+"  intended to assist in overcoming a lack of support for filesystem\n"
+"  capability attributes and should be used to launch other files.\n"
+"  This program should _NOT_ be made setuid-0.\n\n"
+"[Copyright (c) 1998 Andrew G. Morgan <morgan@kernel.org>]\n");
+
+    exit(1);
+}
+
+int main(int argc, char **argv)
+{
+    cap_t new_caps;
+
+    /* this program should not be made setuid-0 */
+    if (getuid() && !geteuid()) {
+	usage();
+    }
+
+    /* check that we have at least 2 arguments */
+    if (argc < 3) {
+	usage();
+    }
+
+    /* parse the first argument to obtain a set of capabilities */
+    new_caps = cap_from_text(argv[1]);
+    if (new_caps == NULL) {
+	fprintf(stderr, "requested capabilities were not recognized\n");
+	usage();
+    }
+
+    /* set these capabilities for the current process */
+    if (cap_set_proc(new_caps) != 0) {
+	fprintf(stderr, "unable to set capabilities: %s\n", strerror(errno));
+	usage();
+    }
+
+    /* exec the program indicated by args 2 ... */
+    execvp(argv[2], argv+2);
+
+    /* if we fall through to here, our exec failed -- announce the fact */
+    fprintf(stderr, "Unable to execute command: %s\n", strerror(errno));
+
+    usage();
+
+    return 0;
+}
diff --git a/libcap-2.19/progs/old/setpcaps.c b/libcap-2.19/progs/old/setpcaps.c
new file mode 100644
index 0000000..3720fce
--- /dev/null
+++ b/libcap-2.19/progs/old/setpcaps.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997-8 Andrew G. Morgan  <morgan@kernel.org>
+ *
+ * This sets the capabilities of a given process.
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#undef _POSIX_SOURCE
+#include <sys/capability.h>
+#include <unistd.h>
+
+static void usage(void)
+{
+    fprintf(stderr,
+"usage: setcap [-q] (-|<caps>) <pid> [ ... (-|<capsN>) <pid> ]\n\n"
+"  This program can be used to set the process capabilities of running\n"
+"  processes.  In order to work, it needs to be executing with CAP_SETPCAP\n"
+"  raised, and the only capabilities that this program can bestow on others\n"
+"  are a subset of its effective set.  This program is mostly intended as an\n"
+"  example -- a safe use of CAP_SETPCAP has yet to be demonstrated!\n\n"
+"[Copyright (c) 1997-8 Andrew G. Morgan  <morgan@kernel.org>]\n"
+	);
+    exit(1);
+}
+
+#define MAXCAP  2048
+
+static int read_caps(int quiet, const char *filename, char *buffer)
+{
+    int i=MAXCAP;
+
+    if (!quiet) {
+	fprintf(stderr,	"Please enter caps for file [empty line to end]:\n");
+    }
+    while (i > 0) {
+	int j = read(STDIN_FILENO, buffer, i);
+
+	if (j < 0) {
+	    fprintf(stderr, "\n[Error - aborting]\n");
+	    exit(1);
+	}
+
+	if (j==0 || buffer[0] == '\n') {
+	    /* we're done */
+	    break;
+	}
+
+	/* move on... */
+
+	i -= j;
+	buffer += j;
+    }
+
+    /* <NUL> terminate */
+    buffer[0] = '\0';
+
+    return (i < MAXCAP ? 0:-1);
+}
+
+int main(int argc, char **argv)
+{
+    char buffer[MAXCAP+1];
+    int retval, quiet=0;
+    cap_t cap_d;
+
+    if (argc < 3) {
+	usage();
+    }
+
+    while (--argc > 0) {
+	const char *text;
+	pid_t pid;
+
+	if (!strcmp(*++argv,"-q")) {
+	    quiet = 1;
+	    continue;
+	}
+	if (!strcmp(*argv,"-")) {
+	    retval = read_caps(quiet, *argv, buffer);
+	    if (retval)
+		usage();
+	    text = buffer;
+	} else
+	    text = *argv;
+
+	cap_d = cap_from_text(text);
+	if (cap_d == NULL) {
+	    perror("fatal error");
+	    usage();
+	}
+#ifndef DEBUG
+	{
+	    ssize_t length;
+	    char *result;
+
+	    result = cap_to_text(cap_d, &length);
+	    fprintf(stderr, "[caps set to:\n%s\n]\n", result);
+	    cap_free(result);
+	    result = NULL;
+	}
+#endif
+
+	if (--argc <= 0)
+	    usage();
+
+	pid = atoi(*++argv);
+	retval = capsetp(pid, cap_d);
+
+	if (retval != 0) {
+	    fprintf(stderr, "Failed to set cap's on process `%d': (%s)\n",
+		    pid, strerror(errno));
+	    usage();
+	}
+#ifndef DEBUG
+	fprintf(stderr, "[caps set on %d]\n", pid);
+#endif
+    }
+
+    return 0;
+}
diff --git a/libcap-2.19/progs/old/sucap.c b/libcap-2.19/progs/old/sucap.c
new file mode 100644
index 0000000..366a093
--- /dev/null
+++ b/libcap-2.19/progs/old/sucap.c
@@ -0,0 +1,199 @@
+/*
+ * $Id: sucap.c,v 1.1.1.1 1999/04/17 22:16:31 morgan Exp $
+ *
+ * This was written by Finn Arne Gangstad <finnag@guardian.no>
+ *
+ * This is a program that is intended to exec a subsequent program.
+ * The purpose of this 'sucap' wrapper is to change uid but keep all
+ * privileges. All environment variables are inherited.
+ */
+
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#undef _POSIX_SOURCE
+#include <sys/capability.h>
+#include <pwd.h>
+#define __USE_BSD
+#include <grp.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+
+static void usage(void)
+{
+    fprintf(stderr,
+"usage: sucap <user> <group> <command-path> [command-args...]\n\n"
+"  This program is a wrapper that change UID but not privileges of a\n"
+"  program to be executed.\n"
+"  Note, this wrapper is intended to assist in overcoming a lack of support\n"
+"  for filesystem capability attributes and should be used to launch other\n"
+"  files. This program should _NOT_ be made setuid-0.\n\n"
+"[Copyright (c) 1998 Finn Arne Gangstad <finnag@guardian.no>]\n");
+
+    exit(1);
+}
+
+
+static void
+wait_on_fd(int fd)
+{
+    /* Wait until some data is available on a file descriptor, or until
+     * end of file or an error is detected */
+    char buf[1];
+    while (read(fd, buf, sizeof(buf)) == -1 && errno == EINTR) {
+	/* empty loop */
+    }
+}
+
+
+int main(int argc, char **argv)
+{
+    cap_t old_caps;
+    uid_t uid;
+    pid_t pid, parent_pid;
+    gid_t gid;
+    int pipe_fds[2];
+
+    /* this program should not be made setuid-0 */
+    if (getuid() && !geteuid()) {
+        usage();
+    }
+
+    /* check that we have at least 3 arguments */
+    if (argc < 4) {
+        usage();
+    }
+
+    /* Convert username to uid */
+    {
+	struct passwd *pw = getpwnam(argv[1]);
+	if (!pw) {
+	    fprintf(stderr, "sucap: No such user: %s\n", argv[1]);
+	    exit(1);
+	}
+	uid = pw->pw_uid;
+    }
+
+    /* Convert groupname to gid */
+    {
+	struct group *gr = getgrnam(argv[2]);
+	if (!gr) {
+	    fprintf(stderr, "sucap: No such group: %s\n", argv[2]);
+	    exit(1);
+	}
+	gid = gr->gr_gid;
+    }
+    
+    /* set process group to current pid */
+    if (setpgid(0, getpid())) {
+	perror("sucap: Failed to set process group");
+	exit(1);
+    }
+    
+    if (pipe(pipe_fds)) {
+	perror("sucap: pipe() failed");
+	exit(1);
+    }
+    
+    parent_pid = getpid();
+
+    old_caps = cap_init();
+    if (capgetp(0, old_caps)) {
+	perror("sucap: capgetp");
+	exit(1);
+    }
+    
+    {
+	ssize_t x;
+	printf("Caps: %s\n", cap_to_text(old_caps, &x));
+    }
+
+
+    /* fork off a child to do the hard work */
+    fflush(NULL);
+    pid = fork();
+    if (pid == -1) {
+	perror("sucap: fork failed");
+	exit(1);
+    }
+
+    /* 1. mother process sets gid and uid
+     * 2. child process sets capabilities of mother process
+     * 3. mother process execs whatever is to be executed
+     */
+
+    if (pid) {
+	/* Mother process. */
+	close(pipe_fds[0]);
+
+	/* Get rid of any supplemental groups */
+	if (!getuid() && setgroups(0, 0)) {
+	    perror("sucap: setgroups failed");
+	    exit(1);
+	}
+
+	/* Set gid and uid (this probably clears capabilities) */
+	setregid(gid, gid);
+	setreuid(uid, uid);
+
+	{
+	    ssize_t x;
+	    cap_t cap = cap_init();
+	    capgetp(0, cap);
+	    printf("Caps: %s\n", cap_to_text(cap, &x));
+	}
+	
+	printf("[debug] uid:%d, real uid:%d\n", geteuid(), getuid());
+
+	/* Signal child that we want our privileges updated */
+	close(pipe_fds[1]); /* Child hangs in blocking read */
+
+	/* Wait for child process to set our privileges */
+	{
+	    int status = 0;
+	    if (wait(&status) == -1) {
+		perror("sucap: wait failed");
+	    }
+	    if (!WIFEXITED(status) || WEXITSTATUS(status)) {
+		fprintf(stderr, "sucap: child did not exit cleanly.\n");
+		exit(1);
+	    }
+	}
+
+	{
+	    ssize_t x;
+	    cap_t cap = cap_init();
+	    capgetp(0, cap);
+	    printf("Caps: %s\n", cap_to_text(cap, &x));
+	}
+
+/*	printf("[debug] uid:%d, real uid:%d\n", geteuid(), getuid()); */
+	/* exec the program indicated by args 2 ... */
+	execvp(argv[3], argv+3);
+	
+	/* if we fall through to here, our exec failed -- announce the fact */
+	fprintf(stderr, "Unable to execute command: %s\n", strerror(errno));
+	
+	usage();
+    } else {
+	/* Child process */
+	close(pipe_fds[1]);
+
+	/* Wait for mother process to setuid */
+	wait_on_fd(pipe_fds[0]);
+
+	/* Set privileges on mother process */
+	if (capsetp(parent_pid, old_caps)) {
+	    perror("sucaps: capsetp");
+	    _exit(1);
+	}
+
+	/* exit to signal mother process that we are ready */
+	_exit(0);
+    }
+
+    return 0;
+}
diff --git a/libcap-2.19/progs/quicktest.sh b/libcap-2.19/progs/quicktest.sh
new file mode 100755
index 0000000..0297bee
--- /dev/null
+++ b/libcap-2.19/progs/quicktest.sh
@@ -0,0 +1,134 @@
+#!/bin/bash
+#
+# Run through a series of tests to try out the various capability
+# manipulations posible through exec.
+#
+# [Run this as root in a root-enabled process tree.]
+
+try_capsh () {
+    echo "TEST: ./capsh $*"
+    ./capsh "$@"
+    if [ $? -ne 0 ]; then
+	echo FAILED
+	return 1
+    else
+	echo PASSED
+	return 0
+    fi
+}
+
+fail_capsh () {
+    echo -n "EXPECT FAILURE: "
+    try_capsh "$@"
+    if [ $? -eq 1 ]; then
+	return 0
+    else
+	echo "Undesired result - aborting"
+	echo "PROBLEM TEST: $*"
+	exit 1
+    fi
+}
+
+pass_capsh () {
+    echo -n "EXPECT SUCCESS: "
+    try_capsh "$@"
+    if [ $? -eq 0 ]; then
+	return 0
+    else
+	echo "Undesired result - aborting"
+	echo "PROBLEM TEST: $*"
+	exit 1
+    fi
+}
+
+pass_capsh --print
+
+# Make a local non-setuid-0 version of ping
+cp /bin/ping . && chmod -s ./ping
+
+# Give it the forced capability it needs
+./setcap all=ep ./ping
+if [ $? -ne 0 ]; then
+    echo "Failed to set all capabilities on file"
+    exit 1
+fi
+./setcap cap_net_raw=ep ./ping
+if [ $? -ne 0 ]; then
+    echo "Failed to set single capability on ping file"
+    exit 1
+fi
+
+# Explore keep_caps support
+pass_capsh --keep=0 --keep=1 --keep=0 --keep=1 --print
+
+rm -f tcapsh
+cp capsh tcapsh
+chown root.root tcapsh
+chmod u+s tcapsh
+ls -l tcapsh
+
+# leverage keep caps maintain capabilities accross a change of uid
+# from setuid root to capable luser (as per wireshark/dumpcap 0.99.7)
+pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --caps=\"cap_net_raw,cap_net_admin=pie\" --print"
+
+# This fails, on 2.6.24, but shouldn't
+pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --forkfor=10 --caps= --print --killit=9 --print"
+
+rm -f tcapsh
+
+# only continue with these if --secbits is supported
+./capsh --secbits=0x2f > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "unable to test securebits manipulation - assume not supported (PASS)"
+    rm -f ./ping
+    exit 0
+fi
+
+pass_capsh --secbits=42 --print
+fail_capsh --secbits=32 --keep=1 --keep=0 --print
+pass_capsh --secbits=10 --keep=0 --keep=1 --print
+fail_capsh --secbits=47 -- -c "ping -c1 localhost"
+
+# Suppress uid=0 privilege
+fail_capsh --secbits=47 --print -- -c "/bin/ping -c1 localhost"
+
+# suppress uid=0 privilege and test this ping
+pass_capsh --secbits=0x2f --print -- -c "./ping -c1 localhost"
+
+# observe that the bounding set can be used to suppress this forced capability
+fail_capsh --drop=cap_net_raw,cap_chown --secbits=0x2f --print -- -c "./ping -c1 localhost"
+
+# change the way the capability is obtained (make it inheritable)
+./setcap cap_net_raw=ei ./ping
+
+pass_capsh --secbits=47 --inh=cap_net_raw --drop=cap_net_raw \
+    --uid=500 --print -- -c "./ping -c1 localhost"
+
+rm -f ./ping
+
+# test that we do not support capabilities on setuid shell-scripts
+cat > hack.sh <<EOF
+#!/bin/bash
+mypid=\$\$
+caps=\$(./getpcaps \$mypid 2>&1 | cut -d: -f2)
+if [ "\$caps" != " =" ]; then
+  echo "Shell script got [\$caps] - you should upgrade your kernel"
+  exit 1
+else
+  ls -l \$0
+  echo "Good, no capabilities [\$caps] for this setuid-0 shell script"
+fi
+exit 0
+EOF
+chmod +xs hack.sh
+./capsh --uid=500 -- ./hack.sh
+status=$?
+rm -f ./hack.sh
+if [ $status -ne 0 ]; then
+    echo "shell scripts can have capabilities (bug)"
+    exit 1
+fi
+
+# Max lockdown
+pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \
+    --drop=all --secbits=0x2f --caps= --print
diff --git a/libcap-2.19/progs/setcap.c b/libcap-2.19/progs/setcap.c
new file mode 100644
index 0000000..0215fc4
--- /dev/null
+++ b/libcap-2.19/progs/setcap.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 1997,2007-8 Andrew G. Morgan  <morgan@kernel.org>
+ *
+ * This sets/verifies the capabilities of a given file.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/capability.h>
+#include <unistd.h>
+
+static void usage(void)
+{
+    fprintf(stderr,
+	    "usage: setcap [-q] [-v] (-r|-|<caps>) <filename> "
+	    "[ ... (-r|-|<capsN>) <filenameN> ]\n"
+	    "\n"
+	    " Note <filename> must be a regular (non-symlink) file.\n"
+	);
+    exit(1);
+}
+
+#define MAXCAP  2048
+
+static int read_caps(int quiet, const char *filename, char *buffer)
+{
+    int i=MAXCAP;
+
+    if (!quiet) {
+	fprintf(stderr,	"Please enter caps for file [empty line to end]:\n");
+    }
+    while (i > 0) {
+	int j = read(STDIN_FILENO, buffer, i);
+
+	if (j < 0) {
+	    fprintf(stderr, "\n[Error - aborting]\n");
+	    exit(1);
+	}
+
+	if (j==0 || buffer[0] == '\n') {
+	    /* we're done */
+	    break;
+	}
+
+	/* move on... */
+
+	i -= j;
+	buffer += j;
+    }
+
+    /* <NUL> terminate */
+    buffer[0] = '\0';
+
+    return (i < MAXCAP ? 0:-1);
+}
+
+int main(int argc, char **argv)
+{
+    int tried_to_cap_setfcap = 0;
+    char buffer[MAXCAP+1];
+    int retval, quiet=0, verify=0;
+    cap_t mycaps;
+    cap_value_t capflag;
+
+    if (argc < 3) {
+	usage();
+    }
+
+    mycaps = cap_get_proc();
+    if (mycaps == NULL) {
+	fprintf(stderr, "warning - unable to get process capabilities"
+		" (old libcap?)\n");
+    }
+
+    while (--argc > 0) {
+	const char *text;
+	cap_t cap_d;
+
+	if (!strcmp(*++argv, "-q")) {
+	    quiet = 1;
+	    continue;
+	}
+	if (!strcmp(*argv, "-v")) {
+	    verify = 1;
+	    continue;
+	}
+
+	if (!strcmp(*argv, "-r")) {
+	    cap_d = NULL;
+	} else {
+	    if (!strcmp(*argv,"-")) {
+		retval = read_caps(quiet, *argv, buffer);
+		if (retval)
+		    usage();
+		text = buffer;
+	    } else {
+		text = *argv;
+	    }
+
+	    cap_d = cap_from_text(text);
+	    if (cap_d == NULL) {
+		perror("fatal error");
+		usage();
+	    }
+#ifdef DEBUG
+	    {
+		ssize_t length;
+		const char *result;
+
+		result = cap_to_text(cap_d, &length);
+		fprintf(stderr, "caps set to: [%s]\n", result);
+	    }
+#endif
+	}
+
+	if (--argc <= 0)
+	    usage();
+	/*
+	 * Set the filesystem capability for this file.
+	 */
+	if (verify) {
+	    cap_t cap_on_file;
+	    int cmp;
+
+	    if (cap_d == NULL) {
+		cap_d = cap_from_text("=");
+	    }
+
+	    cap_on_file = cap_get_file(*++argv);
+
+	    if (cap_on_file == NULL) {
+		cap_on_file = cap_from_text("=");
+	    }
+
+	    cmp = cap_compare(cap_on_file, cap_d);
+	    cap_free(cap_on_file);
+
+	    if (cmp != 0) {
+		if (!quiet) {
+		    printf("%s differs in [%s%s%s]\n", *argv,
+			   CAP_DIFFERS(cmp, CAP_PERMITTED) ? "p" : "",
+			   CAP_DIFFERS(cmp, CAP_INHERITABLE) ? "i" : "",
+			   CAP_DIFFERS(cmp, CAP_EFFECTIVE) ? "e" : "");
+		}
+		exit(1);
+	    }
+	    if (!quiet) {
+		printf("%s: OK\n", *argv);
+	    }
+	} else {
+	    if (!tried_to_cap_setfcap) {
+		capflag = CAP_SETFCAP;
+
+		/*
+		 * Raise the effective CAP_SETFCAP.
+		 */
+		if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET)
+		    != 0) {
+		    perror("unable to manipulate CAP_SETFCAP - "
+			   "try a newer libcap?");
+		    exit(1);
+		}
+		if (cap_set_proc(mycaps) != 0) {
+		    perror("unable to set CAP_SETFCAP effective capability");
+		    exit(1);
+		}
+		tried_to_cap_setfcap = 1;
+	    }
+	    retval = cap_set_file(*++argv, cap_d);
+	    if (retval != 0) {
+		fprintf(stderr,
+			"Failed to set capabilities on file `%s' (%s)\n",
+			argv[0], strerror(errno));
+		usage();
+	    }
+	}
+	if (cap_d) {
+	    cap_free(cap_d);
+	}
+    }
+
+    exit(0);
+}
diff --git a/libcap-2.19/template.c b/libcap-2.19/template.c
new file mode 100644
index 0000000..92d1672
--- /dev/null
+++ b/libcap-2.19/template.c
@@ -0,0 +1,6 @@
+/*
+ * Copyright (c) 1997 <Author>  <@>
+ *
+ * <Content>
+ */
+
diff --git a/libcap.tar.gz b/libcap.tar.gz
new file mode 100644
index 0000000..d2acd91
--- /dev/null
+++ b/libcap.tar.gz
Binary files differ
diff --git a/libcap.url b/libcap.url
new file mode 100644
index 0000000..05c173c
--- /dev/null
+++ b/libcap.url
@@ -0,0 +1 @@
+http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.19.tar.gz
diff --git a/libcap.version b/libcap.version
new file mode 100644
index 0000000..15a3e92
--- /dev/null
+++ b/libcap.version
@@ -0,0 +1 @@
+2.19