diff options
author | LinkTed <link.ted@mailbox.org> | 2022-01-03 17:41:57 +0200 |
---|---|---|
committer | Mike Frysinger <vapier@gmail.com> | 2022-02-06 17:17:46 -0500 |
commit | 79e5edc1a3187ef63bed80fe4ecb05a898b68f00 (patch) | |
tree | 6486571e87c6a4a566d980e1422584e13cc68130 /src/rc/start-stop-daemon.c | |
parent | e045591845ab993d67a131f75a838e5993845de3 (diff) |
capabilities: Add support for securebits flags
This adds securebits flags for start-stop-daemon and supervise-daemon
by adding --secbits option. As a result, the user can specify
securebits the program should run with. see capabilities(7)
Diffstat (limited to 'src/rc/start-stop-daemon.c')
-rw-r--r-- | src/rc/start-stop-daemon.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/rc/start-stop-daemon.c b/src/rc/start-stop-daemon.c index 4d89b0b6..e1a520f5 100644 --- a/src/rc/start-stop-daemon.c +++ b/src/rc/start-stop-daemon.c @@ -74,6 +74,7 @@ const char getoptstring[] = "I:KN:PR:Sa:bc:d:e:g:ik:mn:op:s:tu:r:w:x:1:2:3:4:" \ getoptstring_COMMON; const struct option longopts[] = { { "capabilities", 1, NULL, 0x100}, + { "secbits", 1, NULL, 0x101}, { "ionice", 1, NULL, 'I'}, { "stop", 0, NULL, 'K'}, { "nicelevel", 1, NULL, 'N'}, @@ -107,6 +108,7 @@ const struct option longopts[] = { }; const char * const longopts_help[] = { "Set the inheritable, ambient and bounding capabilities", + "Set the security-bits for the program", "Set an ionice class:data when starting", "Stop daemon", "Set a nicelevel when starting", @@ -315,6 +317,7 @@ int main(int argc, char **argv) unsigned int start_wait = 0; #ifdef HAVE_CAP cap_iab_t cap_iab = NULL; + unsigned secbits = 0; #endif applet = basename_c(argv[0]); @@ -372,6 +375,21 @@ int main(int argc, char **argv) #endif break; + case 0x101: +#ifdef HAVE_CAP + if (*optarg == '\0') + eerrorx("Secbits are empty"); + + tmp = NULL; + secbits = strtoul(optarg, &tmp, 0); + if (*tmp != '\0') + eerrorx("Could not parse secbits: invalid char %c", *tmp); +#else + eerrorx("Capabilities support not enabled"); +#endif + break; + + case 'I': /* --ionice */ if (sscanf(optarg, "%d:%d", &ionicec, &ioniced) == 0) eerrorx("%s: invalid ionice `%s'", @@ -890,6 +908,11 @@ int main(int argc, char **argv) if (i != 0) eerrorx("Could not set iab: %s", strerror(errno)); } + + if (secbits != 0) { + if (cap_set_secbits(secbits) < 0) + eerrorx("Could not set securebits to 0x%x: %s", secbits, strerror(errno)); + } #endif #ifdef TIOCNOTTY |