1 files changed, 22 insertions, 0 deletions

diff --git a/src/rc/supervise-daemon.c b/src/rc/supervise-daemon.c
index 135fc902..5c5c01fc 100644
--- a/src/rc/supervise-daemon.c
+++ b/src/rc/supervise-daemon.c
@@ -78,6 +78,7 @@ const struct option longopts[] = {
 	{ "healthcheck-timer",        1, NULL, 'a'},
 	{ "healthcheck-delay",        1, NULL, 'A'},
 	{ "capabilities", 1, NULL, 0x100},
+	{ "secbits", 1, NULL, 0x101},
 	{ "respawn-delay",        1, NULL, 'D'},
 	{ "chdir",        1, NULL, 'd'},
 	{ "env",          1, NULL, 'e'},
@@ -104,6 +105,7 @@ const char * const longopts_help[] = {
 	"set an initial health check delay",
 	"set a health check timer",
 	"Set the inheritable, ambient and bounding capabilities",
+	"Set the security-bits for the program",
 	"Set a respawn delay",
 	"Change the PWD",
 	"Set an environment string",
@@ -160,6 +162,7 @@ static char *svcname = NULL;
 static bool verbose = false;
 #ifdef HAVE_CAP
 static cap_iab_t cap_iab = NULL;
+static unsigned secbits = 0;
 #endif
 
 extern char **environ;
@@ -427,6 +430,11 @@ static void child_process(char *exec, char **argv)
 		if (i != 0)
 			eerrorx("Could not set iab: %s", strerror(errno));
 	}
+
+	if (secbits != 0) {
+		if (cap_set_secbits(secbits) < 0)
+			eerrorx("Could not set securebits to 0x%x: %s", secbits, strerror(errno));
+	}
 #endif
 
 	/* remove the controlling tty */
@@ -832,6 +840,20 @@ int main(int argc, char **argv)
 #endif
 			break;
 
+        case 0x101:
+#ifdef HAVE_CAP
+			if (*optarg == '\0')
+				eerrorx("Secbits are empty");
+
+			tmp = NULL;
+			secbits = strtoul(optarg, &tmp, 0);
+			if (*tmp != '\0')
+				eerrorx("Could not parse secbits: invalid char %c", *tmp);
+#else
+			eerrorx("Capabilities support not enabled");
+#endif
+			break;
+
 		case 'D':  /* --respawn-delay time */
 			n = sscanf(optarg, "%d", &respawn_delay);
 			if (n	!= 1 || respawn_delay < 1)