From 430f0182b72373145c839dbfe99d2382855cb8f8 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 26 Oct 2015 23:32:16 +0100 Subject: src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers. --- Makefile.am | 8 +- src/basic/audit-util.c | 104 ++++++++++++ src/basic/audit-util.h | 33 ++++ src/basic/audit.c | 104 ------------ src/basic/audit.h | 33 ---- src/basic/capability-util.c | 308 ++++++++++++++++++++++++++++++++++++ src/basic/capability-util.h | 45 ++++++ src/basic/capability.c | 308 ------------------------------------ src/basic/capability.h | 45 ------ src/bus-proxyd/bus-proxyd.c | 2 +- src/core/dbus-execute.c | 2 +- src/core/execute.c | 2 +- src/core/kmod-setup.c | 2 +- src/core/main.c | 2 +- src/import/import-common.c | 2 +- src/import/pull-common.c | 2 +- src/journal/coredump.c | 2 +- src/journal/journald-server.c | 1 + src/journal/journald-server.h | 4 +- src/libsystemd/sd-bus/bus-control.c | 2 +- src/libsystemd/sd-bus/bus-creds.c | 4 +- src/libsystemd/sd-bus/bus-dump.c | 2 +- src/libsystemd/sd-bus/bus-kernel.c | 2 +- src/login/logind-dbus.c | 2 +- src/login/logind-session.c | 2 +- src/login/logind-utmp.c | 2 +- src/login/pam_systemd.c | 2 +- src/network/networkd.c | 2 +- src/nspawn/nspawn.c | 2 +- src/resolve/resolved.c | 2 +- src/shared/condition.c | 2 +- src/test/test-cap-list.c | 2 +- src/test/test-capability.c | 2 +- src/test/test-condition.c | 2 +- src/timesync/timesyncd.c | 2 +- src/tmpfiles/tmpfiles.c | 2 +- 36 files changed, 523 insertions(+), 522 deletions(-) create mode 100644 src/basic/audit-util.c create mode 100644 src/basic/audit-util.h delete mode 100644 src/basic/audit.c delete mode 100644 src/basic/audit.h create mode 100644 src/basic/capability-util.c create mode 100644 src/basic/capability-util.h delete mode 100644 src/basic/capability.c delete mode 100644 src/basic/capability.h diff --git a/Makefile.am b/Makefile.am index dada6cd85f..d435141492 100644 --- a/Makefile.am +++ b/Makefile.am @@ -762,8 +762,8 @@ noinst_LTLIBRARIES += \ libbasic_la_SOURCES = \ src/basic/missing.h \ - src/basic/capability.c \ - src/basic/capability.h \ + src/basic/capability-util.c \ + src/basic/capability-util.h \ src/basic/conf-files.c \ src/basic/conf-files.h \ src/basic/hostname-util.h \ @@ -898,8 +898,8 @@ libbasic_la_SOURCES = \ src/basic/login-util.c \ src/basic/cap-list.c \ src/basic/cap-list.h \ - src/basic/audit.c \ - src/basic/audit.h \ + src/basic/audit-util.c \ + src/basic/audit-util.h \ src/basic/xml.c \ src/basic/xml.h \ src/basic/json.c \ diff --git a/src/basic/audit-util.c b/src/basic/audit-util.c new file mode 100644 index 0000000000..93d1adaf99 --- /dev/null +++ b/src/basic/audit-util.c @@ -0,0 +1,104 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include +#include + +#include "audit-util.h" +#include "fd-util.h" +#include "fileio.h" +#include "macro.h" +#include "parse-util.h" +#include "process-util.h" +#include "user-util.h" +#include "util.h" + +int audit_session_from_pid(pid_t pid, uint32_t *id) { + _cleanup_free_ char *s = NULL; + const char *p; + uint32_t u; + int r; + + assert(id); + + /* We don't convert ENOENT to ESRCH here, since we can't + * really distuingish between "audit is not available in the + * kernel" and "the process does not exist", both which will + * result in ENOENT. */ + + p = procfs_file_alloca(pid, "sessionid"); + + r = read_one_line_file(p, &s); + if (r < 0) + return r; + + r = safe_atou32(s, &u); + if (r < 0) + return r; + + if (u == AUDIT_SESSION_INVALID || u <= 0) + return -ENODATA; + + *id = u; + return 0; +} + +int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { + _cleanup_free_ char *s = NULL; + const char *p; + uid_t u; + int r; + + assert(uid); + + p = procfs_file_alloca(pid, "loginuid"); + + r = read_one_line_file(p, &s); + if (r < 0) + return r; + + r = parse_uid(s, &u); + if (r == -ENXIO) /* the UID was -1 */ + return -ENODATA; + if (r < 0) + return r; + + *uid = (uid_t) u; + return 0; +} + +bool use_audit(void) { + static int cached_use = -1; + + if (cached_use < 0) { + int fd; + + fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); + if (fd < 0) + cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT; + else { + cached_use = true; + safe_close(fd); + } + } + + return cached_use; +} diff --git a/src/basic/audit-util.h b/src/basic/audit-util.h new file mode 100644 index 0000000000..6de331c73e --- /dev/null +++ b/src/basic/audit-util.h @@ -0,0 +1,33 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#pragma once + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include +#include +#include + +#define AUDIT_SESSION_INVALID ((uint32_t) -1) + +int audit_session_from_pid(pid_t pid, uint32_t *id); +int audit_loginuid_from_pid(pid_t pid, uid_t *uid); + +bool use_audit(void); diff --git a/src/basic/audit.c b/src/basic/audit.c deleted file mode 100644 index 4957fc1bec..0000000000 --- a/src/basic/audit.c +++ /dev/null @@ -1,104 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see . -***/ - -#include -#include - -#include "audit.h" -#include "fd-util.h" -#include "fileio.h" -#include "macro.h" -#include "parse-util.h" -#include "process-util.h" -#include "user-util.h" -#include "util.h" - -int audit_session_from_pid(pid_t pid, uint32_t *id) { - _cleanup_free_ char *s = NULL; - const char *p; - uint32_t u; - int r; - - assert(id); - - /* We don't convert ENOENT to ESRCH here, since we can't - * really distuingish between "audit is not available in the - * kernel" and "the process does not exist", both which will - * result in ENOENT. */ - - p = procfs_file_alloca(pid, "sessionid"); - - r = read_one_line_file(p, &s); - if (r < 0) - return r; - - r = safe_atou32(s, &u); - if (r < 0) - return r; - - if (u == AUDIT_SESSION_INVALID || u <= 0) - return -ENODATA; - - *id = u; - return 0; -} - -int audit_loginuid_from_pid(pid_t pid, uid_t *uid) { - _cleanup_free_ char *s = NULL; - const char *p; - uid_t u; - int r; - - assert(uid); - - p = procfs_file_alloca(pid, "loginuid"); - - r = read_one_line_file(p, &s); - if (r < 0) - return r; - - r = parse_uid(s, &u); - if (r == -ENXIO) /* the UID was -1 */ - return -ENODATA; - if (r < 0) - return r; - - *uid = (uid_t) u; - return 0; -} - -bool use_audit(void) { - static int cached_use = -1; - - if (cached_use < 0) { - int fd; - - fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT); - if (fd < 0) - cached_use = errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT; - else { - cached_use = true; - safe_close(fd); - } - } - - return cached_use; -} diff --git a/src/basic/audit.h b/src/basic/audit.h deleted file mode 100644 index 6de331c73e..0000000000 --- a/src/basic/audit.h +++ /dev/null @@ -1,33 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -#pragma once - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see . -***/ - -#include -#include -#include - -#define AUDIT_SESSION_INVALID ((uint32_t) -1) - -int audit_session_from_pid(pid_t pid, uint32_t *id); -int audit_loginuid_from_pid(pid_t pid, uid_t *uid); - -bool use_audit(void); diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c new file mode 100644 index 0000000000..3a6ceed6f5 --- /dev/null +++ b/src/basic/capability-util.c @@ -0,0 +1,308 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include +#include +#include +#include +#include +#include + +#include "capability-util.h" +#include "fileio.h" +#include "log.h" +#include "macro.h" +#include "parse-util.h" +#include "util.h" + +int have_effective_cap(int value) { + _cleanup_cap_free_ cap_t cap; + cap_flag_value_t fv; + + cap = cap_get_proc(); + if (!cap) + return -errno; + + if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0) + return -errno; + else + return fv == CAP_SET; +} + +unsigned long cap_last_cap(void) { + static thread_local unsigned long saved; + static thread_local bool valid = false; + _cleanup_free_ char *content = NULL; + unsigned long p = 0; + int r; + + if (valid) + return saved; + + /* available since linux-3.2 */ + r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); + if (r >= 0) { + r = safe_atolu(content, &p); + if (r >= 0) { + saved = p; + valid = true; + return p; + } + } + + /* fall back to syscall-probing for pre linux-3.2 */ + p = (unsigned long) CAP_LAST_CAP; + + if (prctl(PR_CAPBSET_READ, p) < 0) { + + /* Hmm, look downwards, until we find one that + * works */ + for (p--; p > 0; p --) + if (prctl(PR_CAPBSET_READ, p) >= 0) + break; + + } else { + + /* Hmm, look upwards, until we find one that doesn't + * work */ + for (;; p++) + if (prctl(PR_CAPBSET_READ, p+1) < 0) + break; + } + + saved = p; + valid = true; + + return p; +} + +int capability_bounding_set_drop(uint64_t drop, bool right_now) { + _cleanup_cap_free_ cap_t after_cap = NULL; + cap_flag_value_t fv; + unsigned long i; + int r; + + /* If we are run as PID 1 we will lack CAP_SETPCAP by default + * in the effective set (yes, the kernel drops that when + * executing init!), so get it back temporarily so that we can + * call PR_CAPBSET_DROP. */ + + after_cap = cap_get_proc(); + if (!after_cap) + return -errno; + + if (cap_get_flag(after_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) + return -errno; + + if (fv != CAP_SET) { + _cleanup_cap_free_ cap_t temp_cap = NULL; + static const cap_value_t v = CAP_SETPCAP; + + temp_cap = cap_dup(after_cap); + if (!temp_cap) { + r = -errno; + goto finish; + } + + if (cap_set_flag(temp_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0) { + r = -errno; + goto finish; + } + + if (cap_set_proc(temp_cap) < 0) { + r = -errno; + goto finish; + } + } + + for (i = 0; i <= cap_last_cap(); i++) { + + if (drop & ((uint64_t) 1ULL << (uint64_t) i)) { + cap_value_t v; + + /* Drop it from the bounding set */ + if (prctl(PR_CAPBSET_DROP, i) < 0) { + r = -errno; + goto finish; + } + v = (cap_value_t) i; + + /* Also drop it from the inheritable set, so + * that anything we exec() loses the + * capability for good. */ + if (cap_set_flag(after_cap, CAP_INHERITABLE, 1, &v, CAP_CLEAR) < 0) { + r = -errno; + goto finish; + } + + /* If we shall apply this right now drop it + * also from our own capability sets. */ + if (right_now) { + if (cap_set_flag(after_cap, CAP_PERMITTED, 1, &v, CAP_CLEAR) < 0 || + cap_set_flag(after_cap, CAP_EFFECTIVE, 1, &v, CAP_CLEAR) < 0) { + r = -errno; + goto finish; + } + } + } + } + + r = 0; + +finish: + if (cap_set_proc(after_cap) < 0) + return -errno; + + return r; +} + +static int drop_from_file(const char *fn, uint64_t drop) { + int r, k; + uint32_t hi, lo; + uint64_t current, after; + char *p; + + r = read_one_line_file(fn, &p); + if (r < 0) + return r; + + assert_cc(sizeof(hi) == sizeof(unsigned)); + assert_cc(sizeof(lo) == sizeof(unsigned)); + + k = sscanf(p, "%u %u", &lo, &hi); + free(p); + + if (k != 2) + return -EIO; + + current = (uint64_t) lo | ((uint64_t) hi << 32ULL); + after = current & ~drop; + + if (current == after) + return 0; + + lo = (unsigned) (after & 0xFFFFFFFFULL); + hi = (unsigned) ((after >> 32ULL) & 0xFFFFFFFFULL); + + if (asprintf(&p, "%u %u", lo, hi) < 0) + return -ENOMEM; + + r = write_string_file(fn, p, WRITE_STRING_FILE_CREATE); + free(p); + + return r; +} + +int capability_bounding_set_drop_usermode(uint64_t drop) { + int r; + + r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", drop); + if (r < 0) + return r; + + r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", drop); + if (r < 0) + return r; + + return r; +} + +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { + _cleanup_cap_free_ cap_t d = NULL; + unsigned i, j = 0; + int r; + + /* Unfortunately we cannot leave privilege dropping to PID 1 + * here, since we want to run as user but want to keep some + * capabilities. Since file capabilities have been introduced + * this cannot be done across exec() anymore, unless our + * binary has the capability configured in the file system, + * which we want to avoid. */ + + if (setresgid(gid, gid, gid) < 0) + return log_error_errno(errno, "Failed to change group ID: %m"); + + if (setgroups(0, NULL) < 0) + return log_error_errno(errno, "Failed to drop auxiliary groups list: %m"); + + /* Ensure we keep the permitted caps across the setresuid() */ + if (prctl(PR_SET_KEEPCAPS, 1) < 0) + return log_error_errno(errno, "Failed to enable keep capabilities flag: %m"); + + r = setresuid(uid, uid, uid); + if (r < 0) + return log_error_errno(errno, "Failed to change user ID: %m"); + + if (prctl(PR_SET_KEEPCAPS, 0) < 0) + return log_error_errno(errno, "Failed to disable keep capabilities flag: %m"); + + /* Drop all caps from the bounding set, except the ones we want */ + r = capability_bounding_set_drop(~keep_capabilities, true); + if (r < 0) + return log_error_errno(r, "Failed to drop capabilities: %m"); + + /* Now upgrade the permitted caps we still kept to effective caps */ + d = cap_init(); + if (!d) + return log_oom(); + + if (keep_capabilities) { + cap_value_t bits[u64log2(keep_capabilities) + 1]; + + for (i = 0; i < ELEMENTSOF(bits); i++) + if (keep_capabilities & (1ULL << i)) + bits[j++] = i; + + /* use enough bits */ + assert(i == 64 || (keep_capabilities >> i) == 0); + /* don't use too many bits */ + assert(keep_capabilities & (1ULL << (i - 1))); + + if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { + log_error_errno(errno, "Failed to enable capabilities bits: %m"); + return -errno; + } + + if (cap_set_proc(d) < 0) + return log_error_errno(errno, "Failed to increase capabilities: %m"); + } + + return 0; +} + +int drop_capability(cap_value_t cv) { + _cleanup_cap_free_ cap_t tmp_cap = NULL; + + tmp_cap = cap_get_proc(); + if (!tmp_cap) + return -errno; + + if ((cap_set_flag(tmp_cap, CAP_INHERITABLE, 1, &cv, CAP_CLEAR) < 0) || + (cap_set_flag(tmp_cap, CAP_PERMITTED, 1, &cv, CAP_CLEAR) < 0) || + (cap_set_flag(tmp_cap, CAP_EFFECTIVE, 1, &cv, CAP_CLEAR) < 0)) + return -errno; + + if (cap_set_proc(tmp_cap) < 0) + return -errno; + + return 0; +} diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h new file mode 100644 index 0000000000..4eb5c2a835 --- /dev/null +++ b/src/basic/capability-util.h @@ -0,0 +1,45 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#pragma once + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include +#include + +#include "util.h" + +unsigned long cap_last_cap(void); +int have_effective_cap(int value); +int capability_bounding_set_drop(uint64_t drop, bool right_now); +int capability_bounding_set_drop_usermode(uint64_t drop); + +int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities); + +int drop_capability(cap_value_t cv); + +DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free); +#define _cleanup_cap_free_ _cleanup_(cap_freep) + +static inline void cap_free_charpp(char **p) { + if (*p) + cap_free(*p); +} +#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp) diff --git a/src/basic/capability.c b/src/basic/capability.c deleted file mode 100644 index 04c7047a6a..0000000000 --- a/src/basic/capability.c +++ /dev/null @@ -1,308 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see . -***/ - -#include -#include -#include -#include -#include -#include - -#include "capability.h" -#include "fileio.h" -#include "log.h" -#include "macro.h" -#include "parse-util.h" -#include "util.h" - -int have_effective_cap(int value) { - _cleanup_cap_free_ cap_t cap; - cap_flag_value_t fv; - - cap = cap_get_proc(); - if (!cap) - return -errno; - - if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0) - return -errno; - else - return fv == CAP_SET; -} - -unsigned long cap_last_cap(void) { - static thread_local unsigned long saved; - static thread_local bool valid = false; - _cleanup_free_ char *content = NULL; - unsigned long p = 0; - int r; - - if (valid) - return saved; - - /* available since linux-3.2 */ - r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content); - if (r >= 0) { - r = safe_atolu(content, &p); - if (r >= 0) { - saved = p; - valid = true; - return p; - } - } - - /* fall back to syscall-probing for pre linux-3.2 */ - p = (unsigned long) CAP_LAST_CAP; - - if (prctl(PR_CAPBSET_READ, p) < 0) { - - /* Hmm, look downwards, until we find one that - * works */ - for (p--; p > 0; p --) - if (prctl(PR_CAPBSET_READ, p) >= 0) - break; - - } else { - - /* Hmm, look upwards, until we find one that doesn't - * work */ - for (;; p++) - if (prctl(PR_CAPBSET_READ, p+1) < 0) - break; - } - - saved = p; - valid = true; - - return p; -} - -int capability_bounding_set_drop(uint64_t drop, bool right_now) { - _cleanup_cap_free_ cap_t after_cap = NULL; - cap_flag_value_t fv; - unsigned long i; - int r; - - /* If we are run as PID 1 we will lack CAP_SETPCAP by default - * in the effective set (yes, the kernel drops that when - * executing init!), so get it back temporarily so that we can - * call PR_CAPBSET_DROP. */ - - after_cap = cap_get_proc(); - if (!after_cap) - return -errno; - - if (cap_get_flag(after_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) - return -errno; - - if (fv != CAP_SET) { - _cleanup_cap_free_ cap_t temp_cap = NULL; - static const cap_value_t v = CAP_SETPCAP; - - temp_cap = cap_dup(after_cap); - if (!temp_cap) { - r = -errno; - goto finish; - } - - if (cap_set_flag(temp_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0) { - r = -errno; - goto finish; - } - - if (cap_set_proc(temp_cap) < 0) { - r = -errno; - goto finish; - } - } - - for (i = 0; i <= cap_last_cap(); i++) { - - if (drop & ((uint64_t) 1ULL << (uint64_t) i)) { - cap_value_t v; - - /* Drop it from the bounding set */ - if (prctl(PR_CAPBSET_DROP, i) < 0) { - r = -errno; - goto finish; - } - v = (cap_value_t) i; - - /* Also drop it from the inheritable set, so - * that anything we exec() loses the - * capability for good. */ - if (cap_set_flag(after_cap, CAP_INHERITABLE, 1, &v, CAP_CLEAR) < 0) { - r = -errno; - goto finish; - } - - /* If we shall apply this right now drop it - * also from our own capability sets. */ - if (right_now) { - if (cap_set_flag(after_cap, CAP_PERMITTED, 1, &v, CAP_CLEAR) < 0 || - cap_set_flag(after_cap, CAP_EFFECTIVE, 1, &v, CAP_CLEAR) < 0) { - r = -errno; - goto finish; - } - } - } - } - - r = 0; - -finish: - if (cap_set_proc(after_cap) < 0) - return -errno; - - return r; -} - -static int drop_from_file(const char *fn, uint64_t drop) { - int r, k; - uint32_t hi, lo; - uint64_t current, after; - char *p; - - r = read_one_line_file(fn, &p); - if (r < 0) - return r; - - assert_cc(sizeof(hi) == sizeof(unsigned)); - assert_cc(sizeof(lo) == sizeof(unsigned)); - - k = sscanf(p, "%u %u", &lo, &hi); - free(p); - - if (k != 2) - return -EIO; - - current = (uint64_t) lo | ((uint64_t) hi << 32ULL); - after = current & ~drop; - - if (current == after) - return 0; - - lo = (unsigned) (after & 0xFFFFFFFFULL); - hi = (unsigned) ((after >> 32ULL) & 0xFFFFFFFFULL); - - if (asprintf(&p, "%u %u", lo, hi) < 0) - return -ENOMEM; - - r = write_string_file(fn, p, WRITE_STRING_FILE_CREATE); - free(p); - - return r; -} - -int capability_bounding_set_drop_usermode(uint64_t drop) { - int r; - - r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", drop); - if (r < 0) - return r; - - r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", drop); - if (r < 0) - return r; - - return r; -} - -int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { - _cleanup_cap_free_ cap_t d = NULL; - unsigned i, j = 0; - int r; - - /* Unfortunately we cannot leave privilege dropping to PID 1 - * here, since we want to run as user but want to keep some - * capabilities. Since file capabilities have been introduced - * this cannot be done across exec() anymore, unless our - * binary has the capability configured in the file system, - * which we want to avoid. */ - - if (setresgid(gid, gid, gid) < 0) - return log_error_errno(errno, "Failed to change group ID: %m"); - - if (setgroups(0, NULL) < 0) - return log_error_errno(errno, "Failed to drop auxiliary groups list: %m"); - - /* Ensure we keep the permitted caps across the setresuid() */ - if (prctl(PR_SET_KEEPCAPS, 1) < 0) - return log_error_errno(errno, "Failed to enable keep capabilities flag: %m"); - - r = setresuid(uid, uid, uid); - if (r < 0) - return log_error_errno(errno, "Failed to change user ID: %m"); - - if (prctl(PR_SET_KEEPCAPS, 0) < 0) - return log_error_errno(errno, "Failed to disable keep capabilities flag: %m"); - - /* Drop all caps from the bounding set, except the ones we want */ - r = capability_bounding_set_drop(~keep_capabilities, true); - if (r < 0) - return log_error_errno(r, "Failed to drop capabilities: %m"); - - /* Now upgrade the permitted caps we still kept to effective caps */ - d = cap_init(); - if (!d) - return log_oom(); - - if (keep_capabilities) { - cap_value_t bits[u64log2(keep_capabilities) + 1]; - - for (i = 0; i < ELEMENTSOF(bits); i++) - if (keep_capabilities & (1ULL << i)) - bits[j++] = i; - - /* use enough bits */ - assert(i == 64 || (keep_capabilities >> i) == 0); - /* don't use too many bits */ - assert(keep_capabilities & (1ULL << (i - 1))); - - if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || - cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { - log_error_errno(errno, "Failed to enable capabilities bits: %m"); - return -errno; - } - - if (cap_set_proc(d) < 0) - return log_error_errno(errno, "Failed to increase capabilities: %m"); - } - - return 0; -} - -int drop_capability(cap_value_t cv) { - _cleanup_cap_free_ cap_t tmp_cap = NULL; - - tmp_cap = cap_get_proc(); - if (!tmp_cap) - return -errno; - - if ((cap_set_flag(tmp_cap, CAP_INHERITABLE, 1, &cv, CAP_CLEAR) < 0) || - (cap_set_flag(tmp_cap, CAP_PERMITTED, 1, &cv, CAP_CLEAR) < 0) || - (cap_set_flag(tmp_cap, CAP_EFFECTIVE, 1, &cv, CAP_CLEAR) < 0)) - return -errno; - - if (cap_set_proc(tmp_cap) < 0) - return -errno; - - return 0; -} diff --git a/src/basic/capability.h b/src/basic/capability.h deleted file mode 100644 index 4eb5c2a835..0000000000 --- a/src/basic/capability.h +++ /dev/null @@ -1,45 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -#pragma once - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see . -***/ - -#include -#include - -#include "util.h" - -unsigned long cap_last_cap(void); -int have_effective_cap(int value); -int capability_bounding_set_drop(uint64_t drop, bool right_now); -int capability_bounding_set_drop_usermode(uint64_t drop); - -int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities); - -int drop_capability(cap_value_t cv); - -DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free); -#define _cleanup_cap_free_ _cleanup_(cap_freep) - -static inline void cap_free_charpp(char **p) { - if (*p) - cap_free(*p); -} -#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp) diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index 7e7574568c..fc8edaeb36 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -35,7 +35,7 @@ #include "bus-internal.h" #include "bus-xml-policy.h" -#include "capability.h" +#include "capability-util.h" #include "def.h" #include "fd-util.h" #include "formats-util.h" diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 950e463bc5..35f1b2913b 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -27,7 +27,7 @@ #include "af-list.h" #include "bus-util.h" -#include "capability.h" +#include "capability-util.h" #include "dbus-execute.h" #include "env-util.h" #include "execute.h" diff --git a/src/core/execute.c b/src/core/execute.c index f354216325..2982125b82 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -60,7 +60,7 @@ #include "barrier.h" #include "bus-endpoint.h" #include "cap-list.h" -#include "capability.h" +#include "capability-util.h" #include "def.h" #include "env-util.h" #include "errno-list.h" diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c index 2068ffd69b..651f79a1fe 100644 --- a/src/core/kmod-setup.c +++ b/src/core/kmod-setup.c @@ -27,7 +27,7 @@ #endif #include "macro.h" -#include "capability.h" +#include "capability-util.h" #include "bus-util.h" #include "kmod-setup.h" diff --git a/src/core/main.c b/src/core/main.c index 3e4e9199ed..fd8ad0c0ea 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -44,7 +44,7 @@ #include "build.h" #include "bus-error.h" #include "bus-util.h" -#include "capability.h" +#include "capability-util.h" #include "clock-util.h" #include "conf-parser.h" #include "cpu-set-util.h" diff --git a/src/import/import-common.c b/src/import/import-common.c index d96a000f81..a8551ca9e8 100644 --- a/src/import/import-common.c +++ b/src/import/import-common.c @@ -25,7 +25,7 @@ #include #include "btrfs-util.h" -#include "capability.h" +#include "capability-util.h" #include "fd-util.h" #include "import-common.h" #include "signal-util.h" diff --git a/src/import/pull-common.c b/src/import/pull-common.c index 17283a4a24..f9c168e374 100644 --- a/src/import/pull-common.c +++ b/src/import/pull-common.c @@ -22,7 +22,7 @@ #include #include "btrfs-util.h" -#include "capability.h" +#include "capability-util.h" #include "copy.h" #include "dirent-util.h" #include "escape.h" diff --git a/src/journal/coredump.c b/src/journal/coredump.c index 257a665819..b9ece73a81 100644 --- a/src/journal/coredump.c +++ b/src/journal/coredump.c @@ -34,7 +34,7 @@ #include "sd-login.h" #include "acl-util.h" -#include "capability.h" +#include "capability-util.h" #include "cgroup-util.h" #include "compress.h" #include "conf-parser.h" diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index ab213f705d..442fbb8ecd 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -34,6 +34,7 @@ #include "sd-messages.h" #include "acl-util.h" +#include "audit-util.h" #include "cgroup-util.h" #include "conf-parser.h" #include "dirent-util.h" diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h index 535c0ab9ab..a2631c6017 100644 --- a/src/journal/journald-server.h +++ b/src/journal/journald-server.h @@ -25,9 +25,9 @@ #include #include "sd-event.h" -#include "journal-file.h" + #include "hashmap.h" -#include "audit.h" +#include "journal-file.h" #include "journald-rate-limit.h" #include "list.h" diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c index e68207ae07..dc4ac88712 100644 --- a/src/libsystemd/sd-bus/bus-control.c +++ b/src/libsystemd/sd-bus/bus-control.c @@ -32,7 +32,7 @@ #include "bus-internal.h" #include "bus-message.h" #include "bus-util.h" -#include "capability.h" +#include "capability-util.h" #include "string-util.h" #include "strv.h" #include "bus-control.h" diff --git a/src/libsystemd/sd-bus/bus-creds.c b/src/libsystemd/sd-bus/bus-creds.c index d7a7b6e5bb..d291da8934 100644 --- a/src/libsystemd/sd-bus/bus-creds.c +++ b/src/libsystemd/sd-bus/bus-creds.c @@ -22,12 +22,12 @@ #include #include -#include "audit.h" +#include "audit-util.h" #include "bus-creds.h" #include "bus-label.h" #include "bus-message.h" #include "bus-util.h" -#include "capability.h" +#include "capability-util.h" #include "cgroup-util.h" #include "fd-util.h" #include "fileio.h" diff --git a/src/libsystemd/sd-bus/bus-dump.c b/src/libsystemd/sd-bus/bus-dump.c index 02c9ff8f2f..ab4e9cbc06 100644 --- a/src/libsystemd/sd-bus/bus-dump.c +++ b/src/libsystemd/sd-bus/bus-dump.c @@ -24,7 +24,7 @@ #include "bus-message.h" #include "bus-type.h" #include "cap-list.h" -#include "capability.h" +#include "capability-util.h" #include "fileio.h" #include "formats-util.h" #include "locale-util.h" diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c index 6f396b7953..a455259007 100644 --- a/src/libsystemd/sd-bus/bus-kernel.c +++ b/src/libsystemd/sd-bus/bus-kernel.c @@ -40,7 +40,7 @@ #include "bus-label.h" #include "bus-message.h" #include "bus-util.h" -#include "capability.h" +#include "capability-util.h" #include "fd-util.h" #include "fileio.h" #include "formats-util.h" diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index 284ec42138..4204732e7d 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -26,7 +26,7 @@ #include "sd-messages.h" -#include "audit.h" +#include "audit-util.h" #include "bus-common-errors.h" #include "bus-error.h" #include "bus-util.h" diff --git a/src/login/logind-session.c b/src/login/logind-session.c index 829b614509..26c135b2ca 100644 --- a/src/login/logind-session.c +++ b/src/login/logind-session.c @@ -30,7 +30,7 @@ #include "sd-messages.h" -#include "audit.h" +#include "audit-util.h" #include "bus-error.h" #include "bus-util.h" #include "escape.h" diff --git a/src/login/logind-utmp.c b/src/login/logind-utmp.c index 9c766bcb25..3f4a629be3 100644 --- a/src/login/logind-utmp.c +++ b/src/login/logind-utmp.c @@ -26,7 +26,7 @@ #include "sd-messages.h" -#include "audit.h" +#include "audit-util.h" #include "bus-common-errors.h" #include "bus-error.h" #include "bus-util.h" diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c index 464da88bcc..c37cfdb68b 100644 --- a/src/login/pam_systemd.c +++ b/src/login/pam_systemd.c @@ -30,7 +30,7 @@ #include #include -#include "audit.h" +#include "audit-util.h" #include "bus-common-errors.h" #include "bus-error.h" #include "bus-util.h" diff --git a/src/network/networkd.c b/src/network/networkd.c index 1a17847715..c03ac69e27 100644 --- a/src/network/networkd.c +++ b/src/network/networkd.c @@ -21,7 +21,7 @@ #include "sd-daemon.h" -#include "capability.h" +#include "capability-util.h" #include "networkd.h" #include "signal-util.h" #include "user-util.h" diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 4e9ac04094..28bca1f71e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -51,7 +51,7 @@ #include "blkid-util.h" #include "btrfs-util.h" #include "cap-list.h" -#include "capability.h" +#include "capability-util.h" #include "cgroup-util.h" #include "copy.h" #include "dev-setup.h" diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c index df4eb6f63e..7ba0546f4a 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -22,7 +22,7 @@ #include "sd-daemon.h" #include "sd-event.h" -#include "capability.h" +#include "capability-util.h" #include "mkdir.h" #include "resolved-conf.h" #include "resolved-manager.h" diff --git a/src/shared/condition.c b/src/shared/condition.c index a79a74eaa5..a11054e316 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -29,7 +29,7 @@ #include "apparmor-util.h" #include "architecture.h" -#include "audit.h" +#include "audit-util.h" #include "cap-list.h" #include "condition.h" #include "extract-word.h" diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c index 5f17868458..f43f737951 100644 --- a/src/test/test-cap-list.c +++ b/src/test/test-cap-list.c @@ -22,7 +22,7 @@ #include #include "cap-list.h" -#include "capability.h" +#include "capability-util.h" #include "fileio.h" #include "parse-util.h" #include "util.h" diff --git a/src/test/test-capability.c b/src/test/test-capability.c index 09d7e61e92..fc8d3ffe0d 100644 --- a/src/test/test-capability.c +++ b/src/test/test-capability.c @@ -24,7 +24,7 @@ #include #include -#include "capability.h" +#include "capability-util.h" #include "fd-util.h" #include "macro.h" #include "util.h" diff --git a/src/test/test-condition.c b/src/test/test-condition.c index 91a27138eb..365f5794d4 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -21,7 +21,7 @@ #include "apparmor-util.h" #include "architecture.h" -#include "audit.h" +#include "audit-util.h" #include "condition.h" #include "hostname-util.h" #include "ima-util.h" diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c index 59d348c356..7f70eaaea0 100644 --- a/src/timesync/timesyncd.c +++ b/src/timesync/timesyncd.c @@ -22,7 +22,7 @@ #include "sd-daemon.h" #include "sd-event.h" -#include "capability.h" +#include "capability-util.h" #include "clock-util.h" #include "fd-util.h" #include "fs-util.h" diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 9ac10db22a..7217f54611 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -40,7 +40,7 @@ #include "acl-util.h" #include "btrfs-util.h" -#include "capability.h" +#include "capability-util.h" #include "chattr-util.h" #include "conf-files.h" #include "copy.h" -- cgit v1.2.3-54-g00ecf