diff options
| author | LinkTed <link.ted@mailbox.org> | 2021-06-13 19:26:24 +0200 |
|---|---|---|
| committer | Mike Frysinger <vapier@gmail.com> | 2021-12-23 17:29:10 -0500 |
| commit | 6e214b261604c4ab1ffc244272443a587bb59927 (patch) | |
| tree | 618ab3e7bb84f80eff7a8c8e23c1700a2ca587be /src/rc/supervise-daemon.c | |
| parent | fd1e4a384af44a8687b3a5369283f80f1cf29d84 (diff) | |
capabilities: Add support for Linux capabilities(7)
This adds capabilities for start-stop-daemon by adding --capabilities
option. As a result, the user can specify the inheritable, ambient and
bounding set by define capabilities in the service script.
This fixes #314.
Diffstat (limited to 'src/rc/supervise-daemon.c')
| -rw-r--r-- | src/rc/supervise-daemon.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/src/rc/supervise-daemon.c b/src/rc/supervise-daemon.c index ddadb677..135fc902 100644 --- a/src/rc/supervise-daemon.c +++ b/src/rc/supervise-daemon.c @@ -57,6 +57,10 @@ static struct pam_conv conv = { NULL, NULL}; #endif +#ifdef HAVE_CAP +#include <sys/capability.h> +#endif + #include "einfo.h" #include "queue.h" #include "rc.h" @@ -73,6 +77,7 @@ const char getoptstring[] = "A:a:D:d:e:g:H:I:Kk:m:N:p:R:r:s:Su:1:2:3" \ const struct option longopts[] = { { "healthcheck-timer", 1, NULL, 'a'}, { "healthcheck-delay", 1, NULL, 'A'}, + { "capabilities", 1, NULL, 0x100}, { "respawn-delay", 1, NULL, 'D'}, { "chdir", 1, NULL, 'd'}, { "env", 1, NULL, 'e'}, @@ -98,6 +103,7 @@ const struct option longopts[] = { const char * const longopts_help[] = { "set an initial health check delay", "set a health check timer", + "Set the inheritable, ambient and bounding capabilities", "Set a respawn delay", "Change the PWD", "Set an environment string", @@ -152,6 +158,9 @@ static int fifo_fd = 0; static char *pidfile = NULL; static char *svcname = NULL; static bool verbose = false; +#ifdef HAVE_CAP +static cap_iab_t cap_iab = NULL; +#endif extern char **environ; @@ -398,12 +407,28 @@ static void child_process(char *exec, char **argv) eerrorx("%s: unable to set groupid to %d", applet, gid); if (changeuser && initgroups(changeuser, gid)) eerrorx("%s: initgroups (%s, %d)", applet, changeuser, gid); +#ifdef HAVE_CAP + if (uid && cap_setuid(uid)) +#else if (uid && setuid(uid)) +#endif eerrorx ("%s: unable to set userid to %d", applet, uid); /* Close any fd's to the passwd database */ endpwent(); +#ifdef HAVE_CAP + if (cap_iab != NULL) { + i = cap_iab_set_proc(cap_iab); + + if (cap_free(cap_iab) != 0) + eerrorx("Could not releasable memory: %s", strerror(errno)); + + if (i != 0) + eerrorx("Could not set iab: %s", strerror(errno)); + } +#endif + /* remove the controlling tty */ #ifdef TIOCNOTTY ioctl(tty_fd, TIOCNOTTY, 0); @@ -797,6 +822,16 @@ int main(int argc, char **argv) eerrorx("%s: invalid health check delay %s", applet, optarg); break; + case 0x100: +#ifdef HAVE_CAP + cap_iab = cap_iab_from_text(optarg); + if (cap_iab == NULL) + eerrorx("Could not parse iab: %s", strerror(errno)); +#else + eerrorx("Capabilities support not enabled"); +#endif + break; + case 'D': /* --respawn-delay time */ n = sscanf(optarg, "%d", &respawn_delay); if (n != 1 || respawn_delay < 1) |