another fix for installation

Makefile

@@ -23,13 +23,13 @@ $(BIN_DIR):
 build: $(BINS)
 
 install: build
-ifneq (0, $(filter $(shell capsh --has-p=CAP_DAC_OVERRIDE,CAP_CHOWN 2&>/dev/null; echo $?), $(shell id -u)))
+ifneq (0, $(filter $(shell capsh --has-p=CAP_DAC_OVERRIDE,CAP_CHOWN &>/dev/null; echo $?), $(shell id -u)))
 	$(PRIV_EXE) cp -f $(BINS) /usr/bin
 	$(PRIV_EXE) chown root:root /usr/bin/sr /usr/bin/chsr /usr/bin/capable
 	$(PRIV_EXE) chmod 0555 /usr/bin/sr /usr/bin/chsr /usr/bin/capable
 	$(PRIV_EXE) setcap "=p" /usr/bin/sr
 	$(PRIV_EXE) setcap cap_dac_override,cap_sys_admin,cap_sys_ptrace+ep /usr/bin/capable
-else ifneq (0, $(shell capsh --has-p=CAP_SETFCAP 2&>/dev/null; echo $?))
+else ifneq (0, $(shell capsh --has-p=CAP_SETFCAP &>/dev/null; echo $?))
 	@echo "You must have CAP_SETFCAP privilege to perform installation."
 else
 	cp -f $(BINS) /usr/bin
@@ -47,9 +47,9 @@ cov:
 	cargo tarpaulin --bin chsr --bin sr --exclude-files capable* capable-ebpf/src/vmlinux.rs capable/src/main.rs build.rs --out Lcov --out Html
 
 uninstall:
-ifneq (0, $(filter $(shell capsh --has-p=CAP_DAC_OVERRIDE 2&>/dev/null; echo $?), $(shell id -u)))
+ifneq (0, $(filter $(shell capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null; echo $?), $(shell id -u)))
 	@echo "You must have CAP_DAC_OVERRIDE privilege or be root"
-else ifneq (0, $(shell capsh --has-p=CAP_LINUX_IMMUTABLE 2&>/dev/null; echo $?))
+else ifneq (0, $(shell capsh --has-p=CAP_LINUX_IMMUTABLE &>/dev/null; echo $?))
 	@echo "You must have CAP_LINUX_IMMUTABLE privilege"
 else
 	rm -f /usr/bin/sr

configure.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 DOCKER=0
+YES=""
 
 while getopts "yd" opt; do
 	case ${opt} in
@@ -11,9 +12,9 @@ while getopts "yd" opt; do
 	esac
 done
 
-if [ -z ${SUDO_USER+x} ]; then INSTALL_USER=`id -urn`; else INSTALL_USER=$SUDO_USER; fi
+if [[ -z ${SUDO_USER+x} ]]; then INSTALL_USER=`id -urn`; else INSTALL_USER=$SUDO_USER; fi
 
-if [ $(capsh --has-p=CAP_DAC_OVERRIDE; echo $?) != 0 ] || ( [ ${DOCKER} -eq 0 ] && [ $(capsh --has-p=CAP_LINUX_IMMUTABLE; echo $?) != 0 ] ) ; then
+if [[ $(capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null; echo $?) -ne 0 ]] || ( [[ ${DOCKER} == 0 ]] && [[ $(capsh --has-p=CAP_LINUX_IMMUTABLE &>/dev/null; echo $?) -ne 0 ]] ); then
     echo "Vous avez besoin des capacités CAP_DAC_OVERRIDE et CAP_LINUX_IMMUTABLE pour exécuter ce script."
     exit 1
 fi
@@ -22,42 +23,45 @@ export $(grep -h '^ID' /etc/*-release)
 
 echo "Configuration files installation"
 echo "id : ${ID}"
-if [ "${ID}" == "arch" ]; then
+if [[ "${ID}" == "arch" ]]; then
     cp resources/arch_sr_pam.conf /etc/pam.d/sr || exit;
-elif [ "${ID}" == "ubuntu" ] || [ "${ID}" == "debian" ]; then
+elif [[ "${ID}" == "ubuntu" ]] || [ "${ID}" == "debian" ]]; then
     cp resources/deb_sr_pam.conf /etc/pam.d/sr || exit;
-elif [ "${ID}" == "centos" ] || [ "${ID}" == "fedora" ] || [[ "${ID}" == *"rhel"* ]]; then
+elif [[ "${ID}" == "centos" ]] || [ "${ID}" == "fedora" ]] || [[ "${ID}" == *"rhel"* ]]; then
     cp resources/rh_sr_pam.conf /etc/pam.d/sr || exit;
 else
     echo "Unable to find a supported distribution, exiting..."
     exit 3
 fi
 
 
-
-if [ -e "/etc/security/rootasrole.json" ];then
-	if [ $INSTALL_USER == "0" ]; then
-		echo "Warning: You run this script as real root, so the administator role is defined for the root user"
+write() {
+	if [[  ${DOCKER} -eq 0 ]] && [[ -e "/etc/security/rootasrole.json" ]]; then # Docker does not support immutable
+		chattr -i /etc/security/rootasrole.json
 	fi
+	cp resources/rootasrole.json /etc/security || exit
+	echo "Define root role for the user $INSTALL_USER"
+	sed -i "s/ROOTADMINISTRATOR/$INSTALL_USER/g" /etc/security/rootasrole.json
+}
+
+if [[ $INSTALL_USER == "0" ]]; then
+	echo "Warning: You run this script as real root, so the administrator role is defined for the root user"
+fi
+
+if [[ ! -e "/etc/security/rootasrole.json" ]] || [[  "${YES}" = "-y" ]]; then
+	write
+else
 	read -r -p "Reconfigure policy? [y/N] " response
 	case "$response" in
 		[yY][eE][sS]|[yY]) 
-			if [  $DOCKER -eq 0 ]; then # Docker does not support immutable
-				chattr -i /etc/security/rootasrole.json
-			fi
-			cp resources/rootasrole.json /etc/security || exit
-			echo "Define root role for the user $INSTALL_USER"
-			sed -i "s/ROOTADMINISTRATOR/$INSTALL_USER/g" /etc/security/rootasrole.json
+			write
 			;;
 	esac
-else 
-	cp resources/rootasrole.json /etc/security || exit
-	echo "Define root role for the user $INSTALL_USER"
-	sed -i "s/ROOTADMINISTRATOR/$INSTALL_USER/g" /etc/security/rootasrole.json
 fi
+
 chmod 0644 /etc/pam.d/sr || exit
 chmod 0640 /etc/security/rootasrole.json || exit
-if [  $DOCKER -eq 0 ]; then
+if [[  $DOCKER -eq 0 ]]; then
 	chattr +i /etc/security/rootasrole.json || exit
 fi
 

dependencies.sh

@@ -54,7 +54,7 @@ echo "Install Rust Cargo compiler"
 if [ $(command -v cargo &>/dev/null; echo $?) -eq 0 ]; then 
 	echo "Cargo is installed"
 else
-	curl https://sh.rustup.rs -sSf | sh -s -- ${YES}
+	curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain nightly ${YES} # nightly because aya use -Z feature
 fi
 
 . "$HOME/.cargo/env"

src/sr/main.rs

@@ -27,7 +27,7 @@ use crate::common::{
     activates_no_new_privs,
     config::{self, Storage},
     database::{read_json_config, structs::SGroups},
-    read_effective, setgid_effective, setpcap_effective, setuid_effective,
+    read_effective, dac_override_effective, setgid_effective, setpcap_effective, setuid_effective,
 };
 use crate::common::{drop_effective, subsribe};
 
@@ -212,9 +212,9 @@ fn main() -> Result<(), Box<dyn Error>> {
     register_plugins();
     let args = add_dashes();
     let args = Cli::parse_from(args.iter());
-    read_effective(true).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read")));
+    read_effective(true).or(dac_override_effective(true)).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read")));
     let settings = config::get_settings().expect("Failed to get settings");
-    read_effective(false).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read")));
+    read_effective(false).and(dac_override_effective(false)).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read")));
     let config = match settings.clone().as_ref().borrow().storage.method {
         config::StorageMethod::JSON => {
             Storage::JSON(read_json_config(settings).expect("Failed to read config"))