diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/rc/start-stop-daemon.c | 23 | ||||
| -rw-r--r-- | src/rc/supervise-daemon.c | 22 |
2 files changed, 45 insertions, 0 deletions
diff --git a/src/rc/start-stop-daemon.c b/src/rc/start-stop-daemon.c index 4d89b0b6..e1a520f5 100644 --- a/src/rc/start-stop-daemon.c +++ b/src/rc/start-stop-daemon.c @@ -74,6 +74,7 @@ const char getoptstring[] = "I:KN:PR:Sa:bc:d:e:g:ik:mn:op:s:tu:r:w:x:1:2:3:4:" \ getoptstring_COMMON; const struct option longopts[] = { { "capabilities", 1, NULL, 0x100}, + { "secbits", 1, NULL, 0x101}, { "ionice", 1, NULL, 'I'}, { "stop", 0, NULL, 'K'}, { "nicelevel", 1, NULL, 'N'}, @@ -107,6 +108,7 @@ const struct option longopts[] = { }; const char * const longopts_help[] = { "Set the inheritable, ambient and bounding capabilities", + "Set the security-bits for the program", "Set an ionice class:data when starting", "Stop daemon", "Set a nicelevel when starting", @@ -315,6 +317,7 @@ int main(int argc, char **argv) unsigned int start_wait = 0; #ifdef HAVE_CAP cap_iab_t cap_iab = NULL; + unsigned secbits = 0; #endif applet = basename_c(argv[0]); @@ -372,6 +375,21 @@ int main(int argc, char **argv) #endif break; + case 0x101: +#ifdef HAVE_CAP + if (*optarg == '\0') + eerrorx("Secbits are empty"); + + tmp = NULL; + secbits = strtoul(optarg, &tmp, 0); + if (*tmp != '\0') + eerrorx("Could not parse secbits: invalid char %c", *tmp); +#else + eerrorx("Capabilities support not enabled"); +#endif + break; + + case 'I': /* --ionice */ if (sscanf(optarg, "%d:%d", &ionicec, &ioniced) == 0) eerrorx("%s: invalid ionice `%s'", @@ -890,6 +908,11 @@ int main(int argc, char **argv) if (i != 0) eerrorx("Could not set iab: %s", strerror(errno)); } + + if (secbits != 0) { + if (cap_set_secbits(secbits) < 0) + eerrorx("Could not set securebits to 0x%x: %s", secbits, strerror(errno)); + } #endif #ifdef TIOCNOTTY diff --git a/src/rc/supervise-daemon.c b/src/rc/supervise-daemon.c index 135fc902..5c5c01fc 100644 --- a/src/rc/supervise-daemon.c +++ b/src/rc/supervise-daemon.c @@ -78,6 +78,7 @@ const struct option longopts[] = { { "healthcheck-timer", 1, NULL, 'a'}, { "healthcheck-delay", 1, NULL, 'A'}, { "capabilities", 1, NULL, 0x100}, + { "secbits", 1, NULL, 0x101}, { "respawn-delay", 1, NULL, 'D'}, { "chdir", 1, NULL, 'd'}, { "env", 1, NULL, 'e'}, @@ -104,6 +105,7 @@ const char * const longopts_help[] = { "set an initial health check delay", "set a health check timer", "Set the inheritable, ambient and bounding capabilities", + "Set the security-bits for the program", "Set a respawn delay", "Change the PWD", "Set an environment string", @@ -160,6 +162,7 @@ static char *svcname = NULL; static bool verbose = false; #ifdef HAVE_CAP static cap_iab_t cap_iab = NULL; +static unsigned secbits = 0; #endif extern char **environ; @@ -427,6 +430,11 @@ static void child_process(char *exec, char **argv) if (i != 0) eerrorx("Could not set iab: %s", strerror(errno)); } + + if (secbits != 0) { + if (cap_set_secbits(secbits) < 0) + eerrorx("Could not set securebits to 0x%x: %s", secbits, strerror(errno)); + } #endif /* remove the controlling tty */ @@ -832,6 +840,20 @@ int main(int argc, char **argv) #endif break; + case 0x101: +#ifdef HAVE_CAP + if (*optarg == '\0') + eerrorx("Secbits are empty"); + + tmp = NULL; + secbits = strtoul(optarg, &tmp, 0); + if (*tmp != '\0') + eerrorx("Could not parse secbits: invalid char %c", *tmp); +#else + eerrorx("Capabilities support not enabled"); +#endif + break; + case 'D': /* --respawn-delay time */ n = sscanf(optarg, "%d", &respawn_delay); if (n != 1 || respawn_delay < 1) |