summaryrefslogtreecommitdiff
path: root/src/shared/capability.c
Commit message (Collapse)AuthorAgeFilesLines
* build-sys: split internal basic/ library from shared/Kay Sievers2015-06-111-307/+0
| | | | | | | | | | basic/ can be used by everything cannot use anything outside of basic/ libsystemd/ can use basic/ cannot use shared/ shared/ can use libsystemd/
* fix gcc warnings about uninitialized variablesHarald Hoyer2015-03-271-1/+1
| | | | | | | | | | | | | like: src/shared/install.c: In function ‘unit_file_lookup_state’: src/shared/install.c:1861:16: warning: ‘r’ may be used uninitialized in this function [-Wmaybe-uninitialized] return r < 0 ? r : state; ^ src/shared/install.c:1796:13: note: ‘r’ was declared here int r; ^
* remove unused includesThomas Hindoe Paaboel Andersen2015-02-231-5/+0
| | | | | | This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
* shared/capabilities: simplify assertions about bitsZbigniew Jędrzejewski-Szmek2015-02-041-4/+4
| | | | | The assert added in 7d328b5446 was wrong. Also update the comments and make sure we don't try to shift by type size.
* shared/capability: don't be too frugal on space for capsTom Gundersen2015-02-041-1/+5
| | | | | | We were dropping the most significant bit. Add an assert to make sure it does not happen again. Fixes a bug introduced in 7d328b544621d4b1bec936dec612947ad8bfb65a.
* shared/capability: go frugal on space for capsZbigniew Jędrzejewski-Szmek2015-02-011-2/+3
|
* Fix dropping of all capabilitiesZbigniew Jędrzejewski-Szmek2015-02-011-16/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From fd.o bug 88898: systemd-resolved fails to start: Failed to drop capabilities: Operation not permitted Broken in f11943c53ec181829a821c6b27acf828bab71caa. Drop all capabilities: 1. prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) // 0 when we drop all capabilities 2. setresuid() // bye bye capabilities 3. Add CAP_SETPCAP // fails because we have no capabilities 4. Reduce capability bounding set 5. Drop capabilities 6. prctl(PR_SET_KEEPCAPS, 0) Capabilites should always be kept after setresuid() so that the capability bounding set can be reduced. Based-on-a-patch-by: mustrumr97@gmail.com https://bugs.freedesktop.org/show_bug.cgi?id=88898 We must be careful not to leave PR_SET_KEEPCAPS on. We could use the setresuid() call to drop capabilities, but the rules when capabilities are dropped are fairly complex, since a transition to non-zero uid must happen. Let's instead keep the capabilities during setresuid(), and drop them later.
* coredump: drop caps while we are processing the coredumpLennart Poettering2015-01-291-14/+16
| | | | https://bugs.freedesktop.org/show_bug.cgi?id=87354
* capability: use /proc/sys/kernel/cap_last_capDavid Herrmann2014-12-291-0/+14
| | | | | | | | | | | This file was introduced with linux-3.2, use it instead of probing for it via prctl(PR_CAPBSET_READ). For now, keep the old code for backwards compat. We can drop it once 3.2 is our lowest requirement. The test-cap-list code is extended to verify cap_last_cap() is the same as we'd get via prctl probing and /proc.
* bus-proxy: cloning smack labelPrzemyslaw Kedzierski2014-12-091-0/+18
| | | | | | | | | | | | | | | | | | | | | | When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
* treewide: another round of simplificationsMichal Schmidt2014-11-281-24/+12
| | | | | Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
* treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt2014-11-281-7/+7
| | | | | | | | | | | If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
* treewide: yet more log_*_errno + return simplificationsMichal Schmidt2014-11-281-4/+2
| | | | | | | | | | | | | Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
* treewide: no need to negate errno for log_*_errno()Michal Schmidt2014-11-281-1/+1
| | | | It corrrectly handles both positive and negative errno values.
* treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt2014-11-281-1/+1
| | | | | | | | | | | | | As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
* shared: fix typoRonny Chevalier2014-10-311-2/+2
|
* bus-proxy: drop priviliges if we canLennart Poettering2014-06-041-4/+6
| | | | | | Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
* shared: capability - don't loop over the cap bits if they are all unsetTom Gundersen2014-06-031-4/+4
|
* shared: allow drop_priviliges to drop all privsTom Gundersen2014-06-031-9/+11
|
* timesyncd: split privilege dropping code out of timesyncd so that we can ↵Lennart Poettering2014-06-011-1/+70
| | | | | | make use of it from other daemons too This is preparation to make networkd work as unpriviliged user.
* timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still ↵Lennart Poettering2014-05-181-1/+2
| | | | with CAP_SYS_TIME)
* Introduce cleanup functions for cap_freeZbigniew Jędrzejewski-Szmek2014-01-021-18/+6
| | | | | Unfortunately a different cleanup function is necessary per type, because cap_t** and char** are incompatible with void**.
* bus: rename message "serial" to "cookie"Lennart Poettering2013-12-251-1/+1
| | | | | | Even if the lower-leveld dbus1 protocol calls it "serial", let's expose the word "cookie" for this instead, as this is what kdbus uses and since it doesn't imply monotonicity the same way "serial" does.
* __thread --> thread_local for C11 compatShawn Landden2013-12-171-2/+2
| | | | | Also make thread_local available w/o including <threads.h>. (as the latter hasn't been implemented, but this part is trivial)
* util: rename write_one_line_file() to write_string_file()Lennart Poettering2013-04-031-1/+1
| | | | | You can write much more than just one line with this call (and we frequently do), so let's correct the naming.
* honor SELinux labels, when creating and writing config filesHarald Hoyer2013-02-141-0/+1
| | | | | | | Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
* capabilities: when dropping capabilities system-wide also drop them from ↵Lennart Poettering2012-05-291-0/+51
| | | | | | | usermode helpers This hooks things up with /proc/sys/kernel/usermodehelper/bset and /proc/sys/kernel/usermodehelper/inheritable.
* main: add configuration option to alter capability bounding set for PID 1Lennart Poettering2012-05-241-1/+88
| | | | | | | This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway.
* relicense to LGPLv2.1 (with exceptions)Lennart Poettering2012-04-121-4/+4
| | | | | | | | | | | | | | We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
* util: move all to shared/ and split external dependencies in separate ↵Kay Sievers2012-04-101-0/+86
internal libraries Before: $ ldd /lib/systemd/systemd-timestamp linux-vdso.so.1 => (0x00007fffb05ff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f90aac57000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f90aaa53000) librt.so.1 => /lib64/librt.so.1 (0x00007f90aa84a000) libc.so.6 => /lib64/libc.so.6 (0x00007f90aa494000) /lib64/ld-linux-x86-64.so.2 (0x00007f90aae90000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f90aa290000) libattr.so.1 => /lib64/libattr.so.1 (0x00007f90aa08a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f90a9e6e000) After: $ ldd systemd-timestamp linux-vdso.so.1 => (0x00007fff3cbff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5eaa1c3000) librt.so.1 => /lib64/librt.so.1 (0x00007f5ea9fbb000) libc.so.6 => /lib64/libc.so.6 (0x00007f5ea9c04000) /lib64/ld-linux-x86-64.so.2 (0x00007f5eaa3fc000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f5ea9a00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5ea97e4000)