cap_t
preserve_capabilities (void)
{
if (getuid () != 0)
/* Not root, then we cannot preserve anything. */
return NULL;
if (prctl (PR_SET_KEEPCAPS, 1) == -1)
{
dbg_log (_("Failed to set keep-capabilities"));
error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
/* NOTREACHED */
}
cap_t tmp_caps = cap_init ();
cap_t new_caps = NULL;
if (tmp_caps != NULL)
new_caps = cap_init ();
if (tmp_caps == NULL || new_caps == NULL)
{
if (tmp_caps != NULL)
cap_free (tmp_caps);
dbg_log (_("Failed to initialize drop of capabilities"));
error (EXIT_FAILURE, 0, _("cap_init failed"));
}
/* There is no reason why these should not work. */
cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
(cap_value_t *) new_cap_list, CAP_SET);
cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
(cap_value_t *) new_cap_list, CAP_SET);
cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
(cap_value_t *) tmp_cap_list, CAP_SET);
cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
(cap_value_t *) tmp_cap_list, CAP_SET);
int res = cap_set_proc (tmp_caps);
cap_free (tmp_caps);
if (__builtin_expect (res != 0, 0))
{
cap_free (new_caps);
dbg_log (_("Failed to drop capabilities"));
error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
}
return new_caps;
}
int avahi_caps_reduce2(void) {
int ret = 0;
cap_t caps;
static cap_value_t cap_values[] = { CAP_SYS_CHROOT };
/* Reduce our caps to the bare minimum and tell Linux not to keep
* them across setuid(). This is called after we drop
* privileges. */
/* No longer retain caps across setuid() */
if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
avahi_log_error("prctl(PR_SET_KEEPCAPS) failed: %s", strerror(errno));
ret = -1;
}
caps = cap_init();
assert(caps);
cap_clear(caps);
/* setuid() zeroed our effective caps, let's get them back */
cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_values, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 1, cap_values, CAP_SET);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
return ret;
}
int avahi_caps_reduce(void) {
int ret = 0;
cap_t caps;
static cap_value_t cap_values[] = { CAP_SYS_CHROOT, CAP_SETUID, CAP_SETGID };
/* Let's reduce our caps to the minimum set and tell Linux to keep
* them across setuid(). This is called before we drop
* privileges. */
caps = cap_init();
assert(caps);
cap_clear(caps);
cap_set_flag(caps, CAP_EFFECTIVE, 3, cap_values, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 3, cap_values, CAP_SET);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
/* Retain capabilities across setuid() */
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
avahi_log_error("prctl(PR_SET_KEEPCAPS) failed: %s", strerror(errno));
ret = -1;
}
return ret;
}
static int issueReinit() {
cap_t caps = cap_init();
(void)cap_clear(caps);
(void)cap_set_proc(caps);
(void)cap_free(caps);
int sock = TEMP_FAILURE_RETRY(socket_local_client(
"logd", ANDROID_SOCKET_NAMESPACE_RESERVED, SOCK_STREAM));
if (sock < 0) return -errno;
static const char reinitStr[] = "reinit";
ssize_t ret = TEMP_FAILURE_RETRY(write(sock, reinitStr, sizeof(reinitStr)));
if (ret < 0) return -errno;
struct pollfd p;
memset(&p, 0, sizeof(p));
p.fd = sock;
p.events = POLLIN;
ret = TEMP_FAILURE_RETRY(poll(&p, 1, 1000));
if (ret < 0) return -errno;
if ((ret == 0) || !(p.revents & POLLIN)) return -ETIME;
static const char success[] = "success";
char buffer[sizeof(success) - 1];
memset(buffer, 0, sizeof(buffer));
ret = TEMP_FAILURE_RETRY(read(sock, buffer, sizeof(buffer)));
if (ret < 0) return -errno;
return strncmp(buffer, success, sizeof(success) - 1) != 0;
}
// Setting linux capabilities (permitted, effective and inheritable) for the current process.
// Permitted set indicates the capabilities what could be set for the process.
// Effective set is a subset of permitted set, they are actually effective.
// Inheritable set indicates the capabilities what the children will inherit from the current process.
static bool setCapabilities(cap_value_t* capabilityList, int length)
{
// Capabilities should be initialized without flags.
cap_t capabilities = cap_init();
if (!capabilities) {
fprintf(stderr, "Failed to initialize process capabilities: %s.\n", strerror(errno));
return false;
}
if (cap_clear(capabilities) == -1) {
fprintf(stderr, "Failed to clear process capabilities: %s.\n", strerror(errno));
return false;
}
if (capabilityList && length) {
if (cap_set_flag(capabilities, CAP_EFFECTIVE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_INHERITABLE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_PERMITTED, length, capabilityList, CAP_SET) == -1) {
fprintf(stderr, "Failed to set process capability flags: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
}
if (cap_set_proc(capabilities) == -1) {
fprintf(stderr, "Failed to set process capabilities: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
cap_free(capabilities);
return true;
}
int limit_capabilities(void)
{
cap_t cap_p;
const cap_value_t caps[] = {
CAP_NET_ADMIN,
CAP_NET_RAW,
};
int i;
cap_p = cap_init();
if (!cap_p) {
perror("cap_get_proc");
return -1;
}
for (i = 0; i < ARRAY_SIZE(caps); i++) {
if (cap_clear(cap_p) < 0) {
perror("cap_clear");
return -1;
}
if (cap_set_flag(cap_p, CAP_PERMITTED, ARRAY_SIZE(caps) - i, caps + i, CAP_SET) < 0) {
perror("cap_set_flag");
return -1;
}
if (cap_set_proc(cap_p) < 0)
continue;
break;
}
if (i == ARRAY_SIZE(caps)) {
perror("cap_set_proc");
if (errno != EPERM)
return -1;
}
if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
perror("prctl");
return -1;
}
if (setuid(getuid()) < 0) {
perror("setuid");
return -1;
}
if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
perror("prctl");
return -1;
}
cap_free(cap_p);
uid = getuid();
euid = geteuid();
return 0;
}
static int give_capabilities (pid_t pid)
{
cap_t caps = cap_init();
const unsigned caps_size = 4;
cap_value_t cap_list[] =
{ CAP_SETPCAP, CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_IPC_LOCK} ;
if (caps == NULL) {
fprintf (stderr, "jackstart: could not allocate capability working storage\n");
return -1;
}
cap_clear(caps);
if (capgetp (pid, caps)) {
fprintf (stderr, "jackstart: could not get capabilities for process %d\n", pid);
cap_clear(caps);
}
cap_set_flag(caps, CAP_EFFECTIVE, caps_size, cap_list , CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, caps_size, cap_list , CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, caps_size, cap_list , CAP_SET);
if (capsetp (pid, caps)) {
fprintf (stderr, "jackstart: could not give capabilities: %s\n", strerror (errno));
cap_free (caps);
return -1;
}
cap_free (caps);
return 0;
}
void
vsf_sysdep_adopt_capabilities(unsigned int caps)
{
int retval;
cap_value_t cap_value;
cap_t adopt_caps = cap_init();
if (caps & kCapabilityCAP_CHOWN)
{
cap_value = CAP_CHOWN;
cap_set_flag(adopt_caps, CAP_EFFECTIVE, 1, &cap_value, CAP_SET);
cap_set_flag(adopt_caps, CAP_PERMITTED, 1, &cap_value, CAP_SET);
}
if (caps & kCapabilityCAP_NET_BIND_SERVICE)
{
cap_value = CAP_NET_BIND_SERVICE;
cap_set_flag(adopt_caps, CAP_EFFECTIVE, 1, &cap_value, CAP_SET);
cap_set_flag(adopt_caps, CAP_PERMITTED, 1, &cap_value, CAP_SET);
}
retval = cap_set_proc(adopt_caps);
if (retval != 0)
{
die("cap_set_proc");
}
cap_free(adopt_caps);
}
void UnixMurmur::finalcap() {
#ifdef Q_OS_LINUX
cap_value_t caps[] = {CAP_SYS_RESOURCE};
struct rlimit r;
if (! bRoot)
return;
if (getrlimit(RLIMIT_RTPRIO, &r) != 0) {
qCritical("Failed to get priority limits.");
} else {
qWarning("Resource limits were %ld %ld", r.rlim_cur, r.rlim_max);
r.rlim_cur = r.rlim_max = 1;
if (setrlimit(RLIMIT_RTPRIO, &r) != 0) {
qCritical("Failed to set priority limits.");
}
}
int ncap = sizeof(caps)/sizeof(cap_value_t);
cap_t c = cap_init();
cap_clear(c);
cap_set_flag(c, CAP_EFFECTIVE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_PERMITTED, ncap, caps, CAP_SET);
if (cap_set_proc(c) != 0) {
qCritical("Failed to set final capabilities");
} else {
qWarning("Successfully dropped capabilities");
}
cap_free(c);
#endif
}
static bool setMinimalCapabilities() {
cap_t cap_d = cap_init();
if (cap_d != nullptr) {
cap_value_t cap_list[] = {CAP_NET_BIND_SERVICE, CAP_SYS_RESOURCE,
CAP_SYS_NICE};
cap_clear(cap_d);
if (cap_set_flag(cap_d, CAP_PERMITTED, 3, cap_list, CAP_SET) < 0 ||
cap_set_flag(cap_d, CAP_EFFECTIVE, 3, cap_list, CAP_SET) < 0) {
Logger::Error("cap_set_flag failed");
return false;
}
if (cap_set_proc(cap_d) == -1) {
Logger::Error("cap_set_proc failed");
return false;
}
if (cap_free(cap_d) == -1) {
Logger::Error("cap_free failed");
return false;
}
prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
return true;
}
return false;
}
void UnixMurmur::initialcap() {
#ifdef Q_OS_LINUX
cap_value_t caps[] = {CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID, CAP_CHOWN, CAP_SYS_RESOURCE, CAP_DAC_OVERRIDE };
if (! bRoot)
return;
int ncap = sizeof(caps)/sizeof(cap_value_t);
if (geteuid() != 0)
ncap--;
cap_t c = cap_init();
cap_clear(c);
cap_set_flag(c, CAP_EFFECTIVE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_INHERITABLE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_PERMITTED, ncap, caps, CAP_SET);
if (cap_set_proc(c) != 0) {
qCritical("Failed to set initial capabilities");
} else {
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
}
cap_free(c);
#endif
}
cap_t cap_get_file(const char *filename)
{
cap_t result;
/* allocate a new capability set */
result = cap_init();
if (result) {
struct vfs_cap_data rawvfscap;
int sizeofcaps;
_cap_debug("getting filename capabilities");
/* fill the capability sets via a system call */
sizeofcaps = getxattr(filename, XATTR_NAME_CAPS,
&rawvfscap, sizeof(rawvfscap));
if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) {
cap_free(result);
result = NULL;
} else {
result = _fcaps_load(&rawvfscap, result, sizeofcaps);
}
}
return result;
}
int
main(void)
{
cap_channel_t *capcas, *cappwd;
printf("1..188\n");
capcas = cap_init();
CHECKX(capcas != NULL);
cappwd = cap_service_open(capcas, "system.pwd");
CHECKX(cappwd != NULL);
cap_close(capcas);
/* No limits. */
CHECK(runtest_cmds(cappwd) == (GETPWENT | GETPWENT_R | GETPWNAM |
GETPWNAM_R | GETPWUID | GETPWUID_R));
test_cmds(cappwd);
test_fields(cappwd);
test_users(cappwd);
cap_close(cappwd);
exit(0);
}
int drop_capabilities(void)
{
cap_t cap = cap_init();
if (cap_set_proc(cap) < 0) {
perror("cap_set_proc");
return -1;
}
cap_free(cap);
return 0;
}
void
kern_main(void)
{
cap_init();
ltbl_init();
comp_init();
thd_init();
inv_init();
kern_boot_comp();
}
/* run after child init we are uid User and gid Group */
static void ruid_child_init (apr_pool_t *p, server_rec *s)
{
UNUSED(s);
int ncap;
cap_t cap;
cap_value_t capval[4];
/* detect default supplementary group IDs */
if ((startup_groupsnr = getgroups(RUID_MAXGROUPS, startup_groups)) == -1) {
startup_groupsnr = 0;
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s ERROR getgroups() failed on child init, ignoring supplementary group IDs", MODULE_NAME);
}
/* setup chroot jailbreak */
if (chroot_used == RUID_CHROOT_USED && cap_mode == RUID_CAP_MODE_KEEP) {
if ((root_handle = open("/.", O_RDONLY)) < 0) {
root_handle = UNSET;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR opening root file descriptor failed (%s)", MODULE_NAME, strerror(errno));
} else if (fcntl(root_handle, F_SETFD, FD_CLOEXEC) < 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR unable to set close-on-exec flag on root file descriptor (%s)", MODULE_NAME, strerror(errno));
if (close(root_handle) < 0)
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR closing root file descriptor (%d) failed", MODULE_NAME, root_handle);
root_handle = UNSET;
} else {
/* register cleanup function */
apr_pool_cleanup_register(p, (void*)((long)root_handle), ruid_child_exit, apr_pool_cleanup_null);
}
} else {
root_handle = (chroot_used == RUID_CHROOT_USED ? NONE : UNSET);
}
/* init cap with all zeros */
cap = cap_init();
capval[0] = CAP_SETUID;
capval[1] = CAP_SETGID;
ncap = 2;
if (mode_stat_used == RUID_MODE_STAT_USED) {
capval[ncap++] = CAP_DAC_READ_SEARCH;
}
if (root_handle != UNSET) {
capval[ncap++] = CAP_SYS_CHROOT;
}
cap_set_flag(cap, CAP_PERMITTED, ncap, capval, CAP_SET);
if (cap_set_proc(cap) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed", MODULE_NAME, __func__);
}
cap_free(cap);
/* check if process is dumpable */
coredump = prctl(PR_GET_DUMPABLE);
}
void linux_drop_privs(void)
{
cap_t caps = cap_init();
int num = 2;
cap_value_t capList[] = { CAP_NET_ADMIN, CAP_SETUID };
cap_set_flag(caps, CAP_EFFECTIVE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, num, capList, CAP_SET);
if (cap_set_proc(caps))
err(1, "cap_set_flag()");
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0))
err(1, "prctl()");
cap_free(caps);
if (setuid(666) == -1)
err(1, "setuid()");
caps = cap_init();
num = 1;
cap_set_flag(caps, CAP_EFFECTIVE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, num, capList, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, num, capList, CAP_SET);
if (cap_set_proc(caps))
err(1, "cap_set_proc()");
cap_free(caps);
/* XXX this really sucks. The guy can screw with our net =( */
}
/*-------------------------------------------------------------------*/
DLL_EXPORT int drop_privileges(int capa)
{
uid_t uid;
gid_t gid;
cap_t c;
int rc;
int failed;
cap_value_t v;
int have_capt;
/* If *real* userid is root, no need to do all this */
uid=getuid();
if(!uid) return 0;
failed=1;
have_capt=0;
do
{
c=cap_init();
if(!c) break;
have_capt=1;
v=capa;
rc=cap_set_flag(c,CAP_EFFECTIVE,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_flag(c,CAP_INHERITABLE,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_flag(c,CAP_PERMITTED,1,&v,CAP_SET);
if(rc<0) break;
rc=cap_set_proc(c);
if(rc<0) break;
rc=prctl(PR_SET_KEEPCAPS,1);
if(rc<0) break;
failed=0;
} while(0);
gid=getgid();
setregid(gid,gid);
setreuid(uid,uid);
if(!failed)
{
rc=cap_set_proc(c);
if(rc<0) failed=1;
}
if(have_capt)
cap_free(c);
return failed;
}
void drop_capabilities(void)
{
#ifdef CAPABILITIES
cap_t cap = cap_init();
if (cap_set_proc(cap) < 0) {
perror("ping: cap_set_proc");
exit(-1);
}
cap_free(cap);
#else
if (setuid(getuid())) {
perror("ping: setuid");
exit(-1);
}
#endif
}
static int /* Drop all capabilities from all sets */
dropAllCaps(void)
{
cap_t empty;
int s;
empty = cap_init();
if (empty == NULL)
return -1;
s = cap_set_proc(empty);
if (cap_free(empty) == -1)
return -1;
return s;
}
cap_t cap_get_proc(void)
{
cap_t result;
/* allocate a new capability set */
result = cap_init();
if (result) {
_cap_debug("getting current process' capabilities");
/* fill the capability sets via a system call */
if (capget(&result->head, &result->set)) {
cap_free(&result);
}
}
return result;
}
int
drop_all_caps (void)
{
cap_t empty;
int ret;
empty = cap_init ();
if (empty == NULL)
return -1;
ret = cap_set_proc (empty);
if (cap_free (empty) == -1)
return -1;
return ret;
}
int lxc_caps_reset(void)
{
cap_t cap = cap_init();
int ret = 0;
if (!cap) {
ERROR("cap_init() failed : %m");
return -1;
}
if (cap_set_proc(cap)) {
ERROR("cap_set_proc() failed : %m");
ret = -1;
}
cap_free(cap);
return ret;
}
int avahi_caps_drop_all(void) {
cap_t caps;
int ret = 0;
/* Drop all capabilities and turn ourselves into a normal user process */
caps = cap_init();
assert(caps);
cap_clear(caps);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
return ret;
}
cap_t cap_get_file(const char *filename)
{
cap_t result;
/* allocate a new capability set */
result = cap_init();
if (result) {
_cap_debug("getting named file capabilities");
/* fill the capability sets via a system call */
if (_getfilecap(filename, sizeof(struct __cap_s),
&result->set[CAP_INHERITABLE],
&result->set[CAP_PERMITTED],
&result->set[CAP_EFFECTIVE] ))
cap_free(&result);
}
return result;
}
static int check_capabilities (void)
{
cap_t caps = cap_init();
cap_flag_value_t cap;
pid_t pid;
int have_all_caps = 1;
if (caps == NULL) {
fprintf (stderr, "jackstart: could not allocate capability working storage\n");
return 0;
}
pid = getpid ();
cap_clear (caps);
if (capgetp (pid, caps)) {
fprintf (stderr, "jackstart: could not get capabilities for process %d\n", pid);
return 0;
}
/* check that we are able to give capabilites to other processes */
cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
/* check that we have the capabilities we want to transfer */
cap_get_flag(caps, CAP_SYS_NICE, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
cap_get_flag(caps, CAP_SYS_RESOURCE, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
cap_get_flag(caps, CAP_IPC_LOCK, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
done:
cap_free (caps);
return have_all_caps;
}
cap_t cap_dup(cap_t cap_d)
{
cap_t result;
if (!good_cap_t(cap_d)) {
_cap_debug("bad argument");
errno = EINVAL;
return NULL;
}
result = cap_init();
if (result == NULL) {
_cap_debug("out of memory");
return NULL;
}
memcpy(result, cap_d, sizeof(*cap_d));
return result;
}
cap_t cap_get_fd(int fildes)
{
cap_t result;
/* allocate a new capability set */
result = cap_init();
if (result) {
_cap_debug("getting fildes capabilities");
/* fill the capability sets via a system call */
if (_fgetfilecap(fildes, sizeof(struct __cap_s),
&result->set[CAP_INHERITABLE],
&result->set[CAP_PERMITTED],
&result->set[CAP_EFFECTIVE] )) {
cap_free(&result);
}
}
return result;
}
/**
* Drop all capabilities.
*/
void setup_drop_caps()
{
cap_t empty;
empty = cap_init();
if (!empty) {
SYSERROR("cap_init() failed");
throw -1;
}
if ( capsetp(0, empty) ) {
SYSERROR("capsetp() failed");
throw -1;
}
if ( cap_free(empty) ) {
SYSERROR("cap_free() failed");
throw -1;
}
DEBUG("capabilities has been dropped");
}
// Drop all caps except CAP_SYS_TIME
void drop_caps(void)
{
int r = 0;
cap_t caps;
cap_value_t needed_caps[1] = {CAP_SYS_TIME};
caps = cap_init();
if (caps == NULL)
die("cap_init: %s\n", strerror(errno));
r = cap_set_flag(caps, CAP_EFFECTIVE, 1, needed_caps, CAP_SET);
if (r != 0)
die("cap_set_flag() failed\n");
r = cap_set_flag(caps, CAP_PERMITTED, 1, needed_caps, CAP_SET);
if (r != 0)
die("cap_set_flag: %s\n", strerror(errno));
r = cap_set_proc(caps);
if (r != 0)
die("cap_set_proc: %s\n", strerror(errno));
r = cap_free(caps);
if (r != 0)
die("cap_free: %s\n", strerror(errno));
}
