iof-bird / bird-2.0.1 / sysdep / linux / syspriv.h @ 6b3f1a54
History | View | Annotate | Download (1.85 KB)
1 | 6b3f1a54 | tiamilani | #ifndef _BIRD_SYSPRIV_H_
|
---|---|---|---|
2 | #define _BIRD_SYSPRIV_H_
|
||
3 | |||
4 | #ifndef _GNU_SOURCE
|
||
5 | #define _GNU_SOURCE
|
||
6 | #endif
|
||
7 | |||
8 | #include <unistd.h> |
||
9 | #include <sys/prctl.h> |
||
10 | #include <linux/capability.h> |
||
11 | |||
12 | #ifndef _LINUX_CAPABILITY_VERSION_3
|
||
13 | #define _LINUX_CAPABILITY_VERSION_3 0x20080522 |
||
14 | #define _LINUX_CAPABILITY_U32S_3 2 |
||
15 | #endif
|
||
16 | |||
17 | /* CAP_TO_MASK is missing in CentOS header files */
|
||
18 | #ifndef CAP_TO_MASK
|
||
19 | #define CAP_TO_MASK(x) (1 << ((x) & 31)) |
||
20 | #endif
|
||
21 | |||
22 | /* capset() prototype is missing ... */
|
||
23 | int capset(cap_user_header_t hdrp, const cap_user_data_t datap); |
||
24 | |||
25 | static inline int |
||
26 | set_capabilities(u32 caps) |
||
27 | { |
||
28 | struct __user_cap_header_struct cap_hdr;
|
||
29 | struct __user_cap_data_struct cap_dat[_LINUX_CAPABILITY_U32S_3];
|
||
30 | int err;
|
||
31 | |||
32 | cap_hdr.version = _LINUX_CAPABILITY_VERSION_3; |
||
33 | cap_hdr.pid = 0;
|
||
34 | |||
35 | memset(cap_dat, 0, sizeof(cap_dat)); |
||
36 | cap_dat[0].effective = cap_dat[0].permitted = caps; |
||
37 | |||
38 | err = capset(&cap_hdr, cap_dat); |
||
39 | if (!err)
|
||
40 | return 0; |
||
41 | |||
42 | /* Kernel may support do not support our version of capability interface.
|
||
43 | The last call returned supported version so we just retry it. */
|
||
44 | if (errno == EINVAL)
|
||
45 | { |
||
46 | err = capset(&cap_hdr, cap_dat); |
||
47 | if (!err)
|
||
48 | return 0; |
||
49 | } |
||
50 | |||
51 | return -1; |
||
52 | } |
||
53 | |||
54 | static void |
||
55 | drop_uid(uid_t uid) |
||
56 | { |
||
57 | u32 caps = |
||
58 | CAP_TO_MASK(CAP_NET_BIND_SERVICE) | |
||
59 | CAP_TO_MASK(CAP_NET_BROADCAST) | |
||
60 | CAP_TO_MASK(CAP_NET_ADMIN) | |
||
61 | CAP_TO_MASK(CAP_NET_RAW); |
||
62 | |||
63 | /* change effective user ID to be able to switch to that
|
||
64 | user ID completely after dropping CAP_SETUID */
|
||
65 | if (seteuid(uid) < 0) |
||
66 | die("seteuid: %m");
|
||
67 | |||
68 | /* restrict the capabilities */
|
||
69 | if (set_capabilities(caps) < 0) |
||
70 | die("capset: %m");
|
||
71 | |||
72 | /* keep the capabilities after dropping root ID */
|
||
73 | if (prctl(PR_SET_KEEPCAPS, 1) < 0) |
||
74 | die("prctl: %m");
|
||
75 | |||
76 | /* completely switch to the unprivileged user ID */
|
||
77 | if (setresuid(uid, uid, uid) < 0) |
||
78 | die("setresuid: %m");
|
||
79 | } |
||
80 | |||
81 | #endif /* _BIRD_SYSPRIV_H_ */ |