diff options
author | Stanisław Pitucha <viraptor@gmail.com> | 2014-12-13 20:27:53 +1100 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2017-08-23 23:59:11 -0700 |
commit | 78c260a2ea8a3662720562ef2c0364eac36dfa4a (patch) | |
tree | 7453fad7c38002c7ab332aeb2b3e5990c96d6675 /memcached.h | |
parent | 3e8f5e25f06dc7649038e8a0a229acd5b627882d (diff) | |
download | memcached-78c260a2ea8a3662720562ef2c0364eac36dfa4a.tar.gz |
Add drop_privileges() for Linux
Implement an aggressive version of drop_privileges(). Additionally add
similar initialization function for threads drop_worker_privileges().
This version is similar to Solaris one and prohibits memcached from
making any not approved syscalls. Current list narrows down the allowed
calls to socket sends/recvs, accept, epoll handling, futex (and
dependencies - mmap), getrusage (for stats), and signal / exit
handling.
Any incorrect behaviour will result in EACCES returned. This should be
restricted further to KILL in the future (after more testing).
The feature is only tested for i386 and x86_64. It depends on bpf
filters and seccomp enabled in the kernel. It also requires libsecomp
for abstraction to seccomp filters. All are available since Linux 3.5.
Seccomp filtering can be enabled at compile time with --enable-seccomp.
In case of local customisations which require more rights, memcached
allows disabling drop_privileges() with "-o no_drop_privileges" at
startup.
Tests have to run with "-o relaxed_privileges", since they require
disk access after the tests complete. This adds a few allowed syscalls,
but does not disable the protection system completely.
Diffstat (limited to 'memcached.h')
-rw-r--r-- | memcached.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/memcached.h b/memcached.h index 3bfcb11..3332360 100644 --- a/memcached.h +++ b/memcached.h @@ -381,6 +381,8 @@ struct settings { int idle_timeout; /* Number of seconds to let connections idle */ unsigned int logger_watcher_buf_size; /* size of logger's per-watcher buffer */ unsigned int logger_buf_size; /* size of per-thread logger buffer */ + bool drop_privileges; /* Whether or not to drop unnecessary process privileges */ + bool relaxed_privileges; /* Relax process restrictions when running testapp */ }; extern struct stats stats; @@ -684,6 +686,12 @@ extern void drop_privileges(void); #define drop_privileges() #endif +#if HAVE_DROP_WORKER_PRIVILEGES +extern void drop_worker_privileges(void); +#else +#define drop_worker_privileges() +#endif + /* If supported, give compiler hints for branch prediction. */ #if !defined(__GNUC__) || (__GNUC__ == 2 && __GNUC_MINOR__ < 96) #define __builtin_expect(x, expected_value) (x) |