Exemple #1
0
int
main(int argc, char *argv[])
{
	cap_t caps;
	pid_t pid;
	int r;

	/* Create child; child commences execution in childFunc() */
	printf("******* info of the parent process - start ********\n");
	caps = cap_get_proc();
	printf("Before unshare, the capabilities are:\n");
	printf("capabilities: %s\n", cap_to_text(caps, NULL));

	r = unshare(CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER );
	if(r == -1) {
		printf("unshare failed: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}
	caps = cap_get_proc();
	printf("After unshare, the capabilities are:\n");
	printf("capabilities: %s\n", cap_to_text(caps, NULL));

	printf("the process pid is: %ld\n", (long)getpid());

	r = execlp("sh", "sh", (char *)0);
	if(r == -1) {
		printf("execlp failed: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}
	exit(EXIT_SUCCESS);
}
Exemple #2
0
/* run during request cleanup */
static apr_status_t ruid_suidback (void *data)
{
	request_rec *r = data;

	ruid_config_t *conf = ap_get_module_config (r->server->module_config, &ruid2_module);
	core_server_config *core = (core_server_config *) ap_get_module_config(r->server->module_config, &core_module);

	cap_t cap;
	cap_value_t capval[3];

	if (cap_mode == RUID_CAP_MODE_KEEP) {

		cap=cap_get_proc();
		capval[0]=CAP_SETUID;
		capval[1]=CAP_SETGID;
		capval[2]=CAP_SYS_CHROOT;
		cap_set_flag(cap, CAP_EFFECTIVE, (conf->chroot_dir ? 3 : 2), capval, CAP_SET);
		if (cap_set_proc(cap)!=0) {
			ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed before setuid", MODULE_NAME, __func__);
		}
		cap_free(cap);

		setgroups(startup_groupsnr, startup_groups);
		setgid(ap_unixd_config.group_id);
		setuid(ap_unixd_config.user_id);

		/* set httpd process dumpable after setuid */
		if (coredump) {
			prctl(PR_SET_DUMPABLE,1);
		}

		/* jail break */
		if (conf->chroot_dir) {
			if (fchdir(root_handle) < 0) {
				ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s failed to fchdir to root dir (%d) (%s)", MODULE_NAME, root_handle, strerror(errno));
			} else {
				if (chroot(".") != 0) {
					ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s jail break failed", MODULE_NAME);
				}
			}
			core->ap_document_root = old_root;
		}

		cap=cap_get_proc();
		capval[0]=CAP_SETUID;
		capval[1]=CAP_SETGID;
		capval[2]=CAP_SYS_CHROOT;
		cap_set_flag(cap, CAP_EFFECTIVE, 3, capval, CAP_CLEAR);
		if (cap_set_proc(cap)!=0) {
			ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed after setuid", MODULE_NAME, __func__);
		}
		cap_free(cap);
	}

	return DECLINED;
}
static int sysnet_get_permissions()
{
    cap_t caps = cap_get_proc();
    if (caps == NULL) {
        perror("cap_get_proc()");
        return errno;
    }

    cap_value_t cap_list = CAP_NET_ADMIN;
    int error = 0;

    if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_list, CAP_SET) == -1) {
        error = errno;
        perror("cap_set_flags(CAP_NET_ADMIN)");
    }

    if (cap_set_proc(caps) == -1) {
        error = errno;
        perror("cap_set_proc(CAP_NET_ADMIN)");
    }

    if (cap_free(caps) == -1) {
        error = errno;
        perror("cap_free()");
    }

    return error;
}
Exemple #4
0
Fichier : cap.c Projet : AMDmi3/zsh
static int
bin_cap(char *nam, char **argv, UNUSED(Options ops), UNUSED(int func))
{
    int ret = 0;
    cap_t caps;
    if(*argv) {
	unmetafy(*argv, NULL);
	caps = cap_from_text(*argv);
	if(!caps) {
	    zwarnnam(nam, "invalid capability string");
	    return 1;
	}
	if(cap_set_proc(caps)) {
	    zwarnnam(nam, "can't change capabilities: %e", errno);
	    ret = 1;
	}
    } else {
	char *result = NULL;
	ssize_t length;
	caps = cap_get_proc();
	if(caps)
	    result = cap_to_text(caps, &length);
	if(!caps || !result) {
	    zwarnnam(nam, "can't get capabilities: %e", errno);
	    ret = 1;
	} else
	    puts(result);
    }
    cap_free(caps);
    return ret;
}
int modify_capability(cap_value_t cap, cap_flag_value_t on)
{
	cap_t cap_p = cap_get_proc();
	cap_flag_value_t cap_ok;
	int rc = -1;

	if (!cap_p) {
		perror("ping: cap_get_proc");
		goto out;
	}

	cap_ok = CAP_CLEAR;
	cap_get_flag(cap_p, cap, CAP_PERMITTED, &cap_ok);
	if (cap_ok == CAP_CLEAR) {
		rc = on ? -1 : 0;
		goto out;
	}

	cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap, on);

	if (cap_set_proc(cap_p) < 0) {
		perror("ping: cap_set_proc");
		goto out;
	}

	cap_free(cap_p);

	rc = 0;
out:
	if (cap_p)
		cap_free(cap_p);
	return rc;
}
Exemple #6
0
int main(int argc, char *argv[])
{
#ifdef HAVE_LIBCAP
	cap_t cap = cap_get_proc();
	int fd;
	int seqno = 0;
	char buf[2000];

	if (argc > 1)
		seqno = atoi(argv[1]);

	if (!cap) {
		perror("print_caps - cap_get_proc");
		exit(1);
	}

	fd = open(FIFOFILE, O_WRONLY);
	if (!fd) {
		perror("print_caps: open fifo");
		exit(2);
	}

	snprintf(buf, 2000, "%d.%s", seqno, cap_to_text(cap, NULL));
	write(fd, buf, strlen(buf)+1);
	close(fd);

	cap_free(cap);
#endif
	return 0;
}
Exemple #7
0
    static capa_status cap_check(cap_value_t capa, user_interaction & ui, bool verbose, const std::string & capa_name)
    {
	capa_status ret = capa_unknown;
	cap_t capaset = cap_get_proc();
	cap_flag_value_t val;

	try
	{
	    if(cap_get_flag(capaset, capa, CAP_EFFECTIVE, &val) == 0)
		ret = (val == CAP_SET) ? capa_set : capa_clear;
	    else
	    {
		ret = capa_unknown;
		if(verbose)
		{
		    string tmp = strerror(errno);
		    ui.printf(gettext("Error met while checking for capability %S: %S"), &capa_name, &tmp);
		}
	    }
	}
	catch(...) // well a try/catch may seems useless here, but it does not hurt ... :-)
	{
	    cap_free(capaset);
	    throw;
	}
	cap_free(capaset);

	return ret;
    }
Exemple #8
0
int lxc_caps_down(void)
{
	cap_t caps;
	int ret;

	/* when we are run as root, we don't want to play
	 * with the capabilities */
	if (!getuid())
		return 0;

	caps = cap_get_proc();
	if (!caps) {
		ERROR("failed to cap_get_proc: %m");
		return -1;
	}

	ret = cap_clear_flag(caps, CAP_EFFECTIVE);
	if (ret) {
		ERROR("failed to cap_clear_flag: %m");
		goto out;
	}

	ret = cap_set_proc(caps);
	if (ret) {
		ERROR("failed to cap_set_proc: %m");
		goto out;
	}

out:
	cap_free(caps);
        return 0;
}
Exemple #9
0
void debug_print_caps(char *when)
{
	char buf[2000];
	tst_resm(TINFO, "%s", when);
	snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL));
	tst_resm(TINFO, "%s", buf);
}
Exemple #10
0
Fichier : caps.c Projet : ostap/lxc
/*
 * check if we have the caps needed to start a container.  returns 1 on
 * success, 0 on error.  (I'd prefer this be a bool, but am afraid that
 * might fail to build on some distros).
 */
int lxc_caps_check(void)
{
	uid_t uid = getuid();
	cap_t caps;
	cap_flag_value_t value;
	int i, ret;

	cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };

#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))

	if (!uid)
		return 1;

	caps = cap_get_proc();
	if (!caps) {
		ERROR("failed to cap_get_proc: %m");
		return 0;
	}

	for (i=0; i<NUMCAPS; i++) {
		ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
		if (ret) {
			ERROR("Failed to cap_get_flag: %m");
			return 0;
		}
		if (!value) {
			return 0;
		}
	}

	return 1;
}
Exemple #11
0
int
modify_cap (int capability, int setting)
{
	cap_t caps;
	cap_value_t capList[1];

	caps = cap_get_proc ();
	if (caps == NULL)
		return -1;

	capList[0] = capability;
	if (cap_set_flag (caps, CAP_EFFECTIVE, 1, capList, setting) == -1) {
		cap_free (caps);
		return -1;
	}

	if (cap_set_proc (caps) == -1) {
		cap_free (caps);
		return -1;
	}

	if (cap_free (caps) == -1)
		return -1;

	return 0;
}
Exemple #12
0
int modify_capability(cap_value_t cap, cap_flag_value_t on)
{
	cap_t cap_p = cap_get_proc();

	if (!cap_p) {
		perror("cap_get_proc");
		return -1;
	}

	if (cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap, on) < 0) {
		perror("cap_set_flag");
		return -1;
	}

	if (cap_set_proc(cap_p) < 0) {
		perror("cap_set_proc");
		return -1;
	}

	if (cap_free(cap_p) < 0) {
		perror("cap_free");
		return -1;
	}

	return 0;
}
Exemple #13
0
/**************************************************************************
 Try and abstract process capabilities (for systems that have them).
****************************************************************************/
static BOOL set_process_capability( uint32 cap_flag, BOOL enable )
{
	if(cap_flag == KERNEL_OPLOCK_CAPABILITY) {
		cap_t cap = cap_get_proc();

		if (cap == NULL) {
			DEBUG(0,("set_process_capability: cap_get_proc failed. Error was %s\n",
				strerror(errno)));
			return False;
		}

		if(enable)
			cap->cap_effective |= CAP_NETWORK_MGT;
		else
			cap->cap_effective &= ~CAP_NETWORK_MGT;

		if (cap_set_proc(cap) == -1) {
			DEBUG(0,("set_process_capability: cap_set_proc failed. Error was %s\n",
				strerror(errno)));
			cap_free(cap);
			return False;
		}

		cap_free(cap);

		DEBUG(10,("set_process_capability: Set KERNEL_OPLOCK_CAPABILITY.\n"));
	}
	return True;
}
Exemple #14
0
static bool set_inherited_process_capability( uint32_t cap_flag, bool enable )
{
	if(cap_flag == KERNEL_OPLOCK_CAPABILITY) {
		cap_t cap = cap_get_proc();

		if (cap == NULL) {
			DEBUG(0,("set_inherited_process_capability: cap_get_proc failed. Error was %s\n",
				strerror(errno)));
			return false;
		}

		if(enable)
			cap->cap_inheritable |= CAP_NETWORK_MGT;
		else
			cap->cap_inheritable &= ~CAP_NETWORK_MGT;

		if (cap_set_proc(cap) == -1) {
			DEBUG(0,("set_inherited_process_capability: cap_set_proc failed. Error was %s\n", 
				strerror(errno)));
			cap_free(cap);
			return false;
		}

		cap_free(cap);

		DEBUG(10,("set_inherited_process_capability: Set KERNEL_OPLOCK_CAPABILITY.\n"));
	}
	return true;
}
Exemple #15
0
/* run in map_to_storage hook */
static int ruid_uiiii (request_rec *r)
{
	if (!ap_is_initial_req(r)) {
		return DECLINED;
	}

	int retval = ruid_set_perm(r, __func__);

	int ncap;
	cap_t cap;
	cap_value_t capval[4];

	/* clear capabilities from permitted set (permanent) */
	if (cap_mode == RUID_CAP_MODE_DROP) {
		cap=cap_get_proc();
		capval[0]=CAP_SETUID;
		capval[1]=CAP_SETGID;
		capval[2]=CAP_DAC_READ_SEARCH;
		ncap = 2;
		if (root_handle == UNSET) capval[ncap++] = CAP_SYS_CHROOT;
		cap_set_flag(cap,CAP_PERMITTED,ncap,capval,CAP_CLEAR);

		if (cap_set_proc(cap)!=0) {
			ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed after setuid", MODULE_NAME, __func__);
			retval = HTTP_FORBIDDEN;
		}
		cap_free(cap);
	}

	return retval;
}
Exemple #16
0
/**
 * g_process_cap_save:
 *
 * Save the set of current capabilities and return it. The caller might
 * restore the saved set of capabilities by using cap_restore().
 *
 * Returns: the current set of capabilities
 **/
cap_t 
g_process_cap_save(void)
{
  if (!process_opts.caps)
    return NULL;

  return cap_get_proc();
}
void print_my_caps()
{
	cap_t cap = cap_get_proc();
	char *txt = cap_to_text(cap, NULL);
	tst_resm(TINFO, "\ncaps are %s\n", txt);
	cap_free(cap);
	cap_free(txt);
}
Exemple #18
0
/**
 * g_process_cap_save:
 *
 * Save the set of current capabilities and return it. The caller might
 * restore the saved set of capabilities by using cap_restore().
 *
 * Returns: the current set of capabilities
 **/
cap_t
g_process_cap_save(void)
{
  if (!g_process_is_cap_enabled())
    return NULL;

  return cap_get_proc();
}
Exemple #19
0
static void lower_my_caps(void)
{
	struct __user_cap_header_struct caphdr = {
		.version = _LINUX_CAPABILITY_VERSION
	};
	cap_user_data_t capdata;
	ssize_t capstrlen = 0;
	cap_t my_cap;
	char *cap_text;
	int capsz;

	(void) capget(&caphdr, NULL);
	switch (caphdr.version) {
	case _LINUX_CAPABILITY_VERSION_1:
		capsz = _LINUX_CAPABILITY_U32S_1;
		break;
	case _LINUX_CAPABILITY_VERSION_2:
		capsz = _LINUX_CAPABILITY_U32S_2;
		break;
	default:
		abort(); /* can't happen */
	}

	capdata = gsh_calloc(capsz, sizeof(struct __user_cap_data_struct));
	caphdr.pid = getpid();

	if (capget(&caphdr, capdata) != 0)
		LogFatal(COMPONENT_INIT,
			 "Failed to query capabilities for process, errno=%u",
			 errno);

	/* Set the capability bitmask to remove CAP_SYS_RESOURCE */
	if (capdata->effective & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->effective &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capdata->permitted & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->permitted &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capdata->inheritable & CAP_TO_MASK(CAP_SYS_RESOURCE))
		capdata->inheritable &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);

	if (capset(&caphdr, capdata) != 0)
		LogFatal(COMPONENT_INIT,
			 "Failed to set capabilities for process, errno=%u",
			 errno);
	else
		LogEvent(COMPONENT_INIT,
			 "CAP_SYS_RESOURCE was successfully removed for proper quota management in FSAL");

	/* Print newly set capabilities (same as what CLI "getpcaps" displays */
	my_cap = cap_get_proc();
	cap_text = cap_to_text(my_cap, &capstrlen);
	LogEvent(COMPONENT_INIT, "currenty set capabilities are: %s",
		 cap_text);
	cap_free(cap_text);
	cap_free(my_cap);
	gsh_free(capdata);
}
Exemple #20
0
void drop_caps(const struct minijail *j)
{
	cap_t caps = cap_get_proc();
	cap_value_t flag[1];
	const uint64_t one = 1;
	unsigned int i;
	if (!caps)
		die("can't get process caps");
	if (cap_clear_flag(caps, CAP_INHERITABLE))
		die("can't clear inheritable caps");
	if (cap_clear_flag(caps, CAP_EFFECTIVE))
		die("can't clear effective caps");
	if (cap_clear_flag(caps, CAP_PERMITTED))
		die("can't clear permitted caps");
	for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) {
		/* Keep CAP_SETPCAP for dropping bounding set bits. */
		if (i != CAP_SETPCAP && !(j->caps & (one << i)))
			continue;
		flag[0] = i;
		if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_SET))
			die("can't add effective cap");
		if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_SET))
			die("can't add permitted cap");
		if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_SET))
			die("can't add inheritable cap");
	}
	if (cap_set_proc(caps))
		die("can't apply initial cleaned capset");

	/*
	 * Instead of dropping bounding set first, do it here in case
	 * the caller had a more permissive bounding set which could
	 * have been used above to raise a capability that wasn't already
	 * present. This requires CAP_SETPCAP, so we raised/kept it above.
	 */
	for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) {
		if (j->caps & (one << i))
			continue;
		if (prctl(PR_CAPBSET_DROP, i))
			pdie("prctl(PR_CAPBSET_DROP)");
	}

	/* If CAP_SETPCAP wasn't specifically requested, now we remove it. */
	if ((j->caps & (one << CAP_SETPCAP)) == 0) {
		flag[0] = CAP_SETPCAP;
		if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_CLEAR))
			die("can't clear effective cap");
		if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_CLEAR))
			die("can't clear permitted cap");
		if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_CLEAR))
			die("can't clear inheritable cap");
	}

	if (cap_set_proc(caps))
		die("can't apply final cleaned capset");

	cap_free(caps);
}
Exemple #21
0
int
main(int argc, char **argv)
{
	cap_t cap;
	cap_flag_value_t effective, permitted;
	char bindf[PATH_MAX - 1];
	int rv;

	if (argc != 3)
		usage();

	cap = cap_get_proc();
	if (cap == NULL) {
		fprintf(stderr, "cap_get_proc() returned %s!\n",
		    strerror(errno));
		exit(EXIT_FAILURE);
	}

	cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &effective);
	cap_get_flag(cap, CAP_SYS_ADMIN, CAP_PERMITTED, &permitted);
	if ((effective != CAP_SET) && (permitted != CAP_SET)) {
		fprintf(stderr, "E: missing 'cap_sys_admin' capability!\n"
		    "Please set it with: setcap cap_sys_admin=ep %s'\n",
		    argv[0]);
		cap_free(cap);
		exit(EXIT_FAILURE);
	}
	cap_free(cap);

	/* Check that status file exists in masterdir */
	rv = snprintf(bindf, sizeof(bindf), "%s/.%s_mount_bind_done",
	    argv[1], argv[2]);
	if (rv < 0 || rv >= sizeof(bindf))
		exit(EXIT_FAILURE);

	if (access(bindf, R_OK) == -1) {
		fprintf(stderr, "E: cannot umount %s/%s, missing "
		    "status file\n", argv[1], argv[2]);
		exit(EXIT_FAILURE);
	}

	/* Security check passed, continue mounting */
	rv = snprintf(bindf, sizeof(bindf), "%s/%s", argv[1], argv[2]);
	if (rv < 0 || rv >= sizeof(bindf))
		exit(EXIT_FAILURE);

	if ((rv = umount(bindf)) != 0) {
		fprintf(stderr, "E: cannot umount %s: %s\n", argv[1],
		    strerror(errno));
		exit(EXIT_FAILURE);
	}

	exit(EXIT_SUCCESS);
}
Exemple #22
0
  /* n.b. yes I know I should be using libcap!! */
  int retval;
  struct __user_cap_header_struct cap_head;
  struct __user_cap_data_struct cap_data;
  __u32 cap_mask = 0;
  if (!caps)
  {
    bug("asked to adopt no capabilities");
  }
  vsf_sysutil_memclr(&cap_head, sizeof(cap_head));
  vsf_sysutil_memclr(&cap_data, sizeof(cap_data));
  cap_head.version = _LINUX_CAPABILITY_VERSION;
  cap_head.pid = 0;
  if (caps & kCapabilityCAP_CHOWN)
  {
    cap_mask |= (1 << CAP_CHOWN);
  }
  if (caps & kCapabilityCAP_NET_BIND_SERVICE)
  {
    cap_mask |= (1 << CAP_NET_BIND_SERVICE);
  }
  cap_data.effective = cap_data.permitted = cap_mask;
  cap_data.inheritable = 0;
  retval = capset(&cap_head, &cap_data);
  if (retval != 0)
  {
    die("capset");
  }
}

  #else /* VSF_SYSDEP_HAVE_LIBCAP */
static int
do_checkcap(void)
{
  cap_t current_caps = cap_get_proc();
  cap_free(current_caps);
  if (current_caps != NULL)
  {
    return 1;
  }
  return 0;
}
Exemple #23
0
static void
display_creds_and_caps(char *msg)
{
    cap_t caps;

    printf("%seUID = %ld;  eGID = %ld;  ", msg,
            (long) geteuid(), (long) getegid());

    caps = cap_get_proc();
    printf("capabilities: %s\n", cap_to_text(caps, NULL));
}
Exemple #24
0
static int am_privileged(void)
{
	int am_privileged = 1;

	cap_t cap = cap_get_proc();
	if (eff_caps_empty(cap))
		am_privileged = 0;
	cap_free(cap);

	return am_privileged;
}
void *chg_uid_gid(void *arg)
{
	cap_t newcaps;
	cap_t mycaps;
	int ret;

	test_msg("Aux thread runs as UID: %d; GID: %d\n", getuid(), getgid());

	newcaps = cap_from_text("cap_setgid,cap_setuid=+eip");
	if (!newcaps) {
		pr_perror("Failed to get capability struct\n");
		exit(1);
	}

	ret = cap_set_proc(newcaps);
	if (ret) {
		pr_perror("Failed to set capabilities for the process\n");
		exit(1);
	}

	mycaps = cap_get_proc();
	if (!mycaps) {
		pr_perror("Failed to get child thread capabilities\n");
		exit_group(2);
	}

	test_msg("Child capabilities: %s\n", cap_to_text(mycaps, NULL));
	test_msg("Changing UID/GID in child thread to %d:%d\n", uid, gid);

	ret = syscall(SYS_setresgid, gid, gid, gid);
	if (ret >= 0) {
		syscall(SYS_setresuid, uid, uid, uid);
	} else if (ret < 0) {
		pr_perror("Failed to change UID/GID\n");
		exit_group(2);
	}

	gid = getgid();
	uid = getuid();
	test_msg("Now aux thread runs as UID: %d; GID: %d\n", uid, gid);

	test_msg("Child thread is waiting for main thread's signal\n");
	task_waiter_complete(&t, 1);

	pthread_mutex_lock(&mutex);
	while (!done) {
		pthread_cond_wait(&cond, &mutex);
	}
	pthread_mutex_unlock(&mutex);

	test_msg("Child thread returns\n");
	return NULL;
}
Exemple #26
0
static int have_capabilities(void) {
#ifdef HAVE_CAP_GET_PROC
	cap_t caps = cap_get_proc();
	if (caps) {
		cap_flag_value_t value_p;
		cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE,&value_p);
		cap_free(caps);
		return (value_p);
	}
#endif  /*HAVE_CAP_GET_PROC*/
	return 0;
}
Exemple #27
0
static int child_exec(void *stuff) {
  cap_t caps;
  printf("eUID=%ld; eGID=%ld; ", (long)geteuid(), (long)getegid());
  caps = cap_get_proc();
  printf("capabilities: %s\n", cap_to_text(caps, NULL));
  struct clone_args *args = (struct clone_args *)stuff;
  if (execvp(args->argv[0], args->argv) != 0) {
    fprintf(stderr, "failed to execvp argments %d\n", strerror(errno));
    exit(-1);
  }
  // We should never reach here!
  exit(-1);
}
Exemple #28
0
static void drop_cap_sys_admin(void)
{
	cap_value_t cap_value[] = { CAP_SYS_ADMIN };
	cap_t cap = cap_get_proc();
	if (!cap)
		tst_brk(TBROK | TERRNO, "cap_get_proc failed");

	if (cap_set_flag(cap, CAP_EFFECTIVE, 1, cap_value, CAP_CLEAR))
		tst_brk(TBROK | TERRNO, "cap_set_flag failed");

	if (cap_set_proc(cap))
		tst_brk(TBROK | TERRNO, "cap_set_proc failed");
}
Exemple #29
0
int lxc_caps_up(void)
{
	cap_t caps;
	cap_value_t cap;
	int ret;

	/* when we are run as root, we don't want to play
	 * with the capabilities */
	if (!getuid())
		return 0;

	caps = cap_get_proc();
	if (!caps) {
		ERROR("failed to cap_get_proc: %m");
		return -1;
	}

    //设置程序能力
	for (cap = 0; cap <= CAP_LAST_CAP; cap++) {

		cap_flag_value_t flag;

		ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
		if (ret) {
			if (errno == EINVAL) {
				INFO("Last supported cap was %d\n", cap-1);
				break;
			} else {
				ERROR("failed to cap_get_flag: %m");
				goto out;
			}
		}

		ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
		if (ret) {
			ERROR("failed to cap_set_flag: %m");
			goto out;
		}
	}

	ret = cap_set_proc(caps);
	if (ret) {
		ERROR("failed to cap_set_proc: %m");
		goto out;
	}

out:
	cap_free(caps);
        return 0;
}
Exemple #30
0
static void show_capabilities(void) {
        cap_t caps;
        char *text;

        caps = cap_get_proc();
        assert_se(caps);

        text = cap_to_text(caps, NULL);
        assert_se(text);

        log_info("Capabilities:%s", text);
        cap_free(caps);
        cap_free(text);
}