|
|
a19bc6 |
From ab2c6236a959fe53109cc36f3642b3a7a2051746 Mon Sep 17 00:00:00 2001
|
|
|
a19bc6 |
From: Ismo Puustinen <ismo.puustinen@intel.com>
|
|
|
a19bc6 |
Date: Thu, 31 Dec 2015 14:54:44 +0200
|
|
|
a19bc6 |
Subject: [PATCH] capabilities: added support for ambient capabilities.
|
|
|
a19bc6 |
|
|
|
a19bc6 |
This patch adds support for ambient capabilities in service files. The
|
|
|
a19bc6 |
idea with ambient capabilities is that the execed processes can run with
|
|
|
a19bc6 |
non-root user and get some inherited capabilities, without having any
|
|
|
a19bc6 |
need to add the capabilities to the executable file.
|
|
|
a19bc6 |
|
|
|
a19bc6 |
You need at least Linux 4.3 to use ambient capabilities. SecureBit
|
|
|
a19bc6 |
keep-caps is automatically added when you use ambient capabilities and
|
|
|
a19bc6 |
wish to change the user.
|
|
|
a19bc6 |
|
|
|
a19bc6 |
An example system service file might look like this:
|
|
|
a19bc6 |
|
|
|
a19bc6 |
[Unit]
|
|
|
a19bc6 |
Description=Service for testing caps
|
|
|
a19bc6 |
|
|
|
a19bc6 |
[Service]
|
|
|
a19bc6 |
ExecStart=/usr/bin/sleep 10000
|
|
|
a19bc6 |
User=nobody
|
|
|
a19bc6 |
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
|
|
|
a19bc6 |
|
|
|
a19bc6 |
After starting the service it has these capabilities:
|
|
|
a19bc6 |
|
|
|
a19bc6 |
CapInh: 0000000000003000
|
|
|
a19bc6 |
CapPrm: 0000000000003000
|
|
|
a19bc6 |
CapEff: 0000000000003000
|
|
|
a19bc6 |
CapBnd: 0000003fffffffff
|
|
|
a19bc6 |
CapAmb: 0000000000003000
|
|
|
a19bc6 |
|
|
|
a19bc6 |
Cherry-picked from: 755d4b6
|
|
|
a19bc6 |
Resolves: #1387398
|
|
|
a19bc6 |
---
|
|
|
a19bc6 |
src/core/dbus-execute.c | 19 ++++++++
|
|
|
a19bc6 |
src/core/execute.c | 90 ++++++++++++++++++++++++++++-------
|
|
|
a19bc6 |
src/core/execute.h | 2 +
|
|
|
a19bc6 |
src/core/load-fragment-gperf.gperf.m4 | 1 +
|
|
|
a19bc6 |
src/core/load-fragment.c | 4 +-
|
|
|
a19bc6 |
src/shared/capability.c | 55 +++++++++++++++++++++
|
|
|
a19bc6 |
src/shared/capability.h | 3 ++
|
|
|
a19bc6 |
src/shared/missing.h | 16 +++++++
|
|
|
a19bc6 |
src/test/test-unit-file.c | 1 +
|
|
|
a19bc6 |
9 files changed, 174 insertions(+), 17 deletions(-)
|
|
|
a19bc6 |
|
|
|
a19bc6 |
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
|
|
|
181b3f |
index a564c53fa..817ef80d1 100644
|
|
|
a19bc6 |
--- a/src/core/dbus-execute.c
|
|
|
a19bc6 |
+++ b/src/core/dbus-execute.c
|
|
|
a19bc6 |
@@ -327,6 +327,24 @@ static int property_get_capability_bounding_set(
|
|
|
a19bc6 |
return sd_bus_message_append(reply, "t", c->capability_bounding_set);
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+static int property_get_ambient_capabilities(
|
|
|
a19bc6 |
+ sd_bus *bus,
|
|
|
a19bc6 |
+ const char *path,
|
|
|
a19bc6 |
+ const char *interface,
|
|
|
a19bc6 |
+ const char *property,
|
|
|
a19bc6 |
+ sd_bus_message *reply,
|
|
|
a19bc6 |
+ void *userdata,
|
|
|
a19bc6 |
+ sd_bus_error *error) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ ExecContext *c = userdata;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ assert(bus);
|
|
|
a19bc6 |
+ assert(reply);
|
|
|
a19bc6 |
+ assert(c);
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ return sd_bus_message_append(reply, "t", c->capability_ambient_set);
|
|
|
a19bc6 |
+}
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
static int property_get_capabilities(
|
|
|
a19bc6 |
sd_bus *bus,
|
|
|
a19bc6 |
const char *path,
|
|
|
a19bc6 |
@@ -637,6 +655,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
|
|
|
a19bc6 |
SD_BUS_PROPERTY("Capabilities", "s", property_get_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
SD_BUS_PROPERTY("SecureBits", "i", bus_property_get_int, offsetof(ExecContext, secure_bits), SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
SD_BUS_PROPERTY("CapabilityBoundingSet", "t", property_get_capability_bounding_set, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
+ SD_BUS_PROPERTY("AmbientCapabilities", "t", property_get_ambient_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),
|
|
|
a19bc6 |
diff --git a/src/core/execute.c b/src/core/execute.c
|
|
|
181b3f |
index 40db11e28..4265b9c34 100644
|
|
|
a19bc6 |
--- a/src/core/execute.c
|
|
|
a19bc6 |
+++ b/src/core/execute.c
|
|
|
a19bc6 |
@@ -696,12 +696,7 @@ static int enforce_user(const ExecContext *context, uid_t uid) {
|
|
|
a19bc6 |
/* Sets (but doesn't lookup) the uid and make sure we keep the
|
|
|
a19bc6 |
* capabilities while doing so. */
|
|
|
a19bc6 |
|
|
|
a19bc6 |
- if (context->capabilities) {
|
|
|
a19bc6 |
- _cleanup_cap_free_ cap_t d = NULL;
|
|
|
a19bc6 |
- static const cap_value_t bits[] = {
|
|
|
a19bc6 |
- CAP_SETUID, /* Necessary so that we can run setresuid() below */
|
|
|
a19bc6 |
- CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
|
|
|
a19bc6 |
- };
|
|
|
a19bc6 |
+ if (context->capabilities || context->capability_ambient_set != 0) {
|
|
|
a19bc6 |
|
|
|
a19bc6 |
/* First step: If we need to keep capabilities but
|
|
|
a19bc6 |
* drop privileges we need to make sure we keep our
|
|
|
a19bc6 |
@@ -717,16 +712,24 @@ static int enforce_user(const ExecContext *context, uid_t uid) {
|
|
|
a19bc6 |
/* Second step: set the capabilities. This will reduce
|
|
|
a19bc6 |
* the capabilities to the minimum we need. */
|
|
|
a19bc6 |
|
|
|
a19bc6 |
- d = cap_dup(context->capabilities);
|
|
|
a19bc6 |
- if (!d)
|
|
|
a19bc6 |
- return -errno;
|
|
|
a19bc6 |
+ if (context->capabilities) {
|
|
|
a19bc6 |
+ _cleanup_cap_free_ cap_t d = NULL;
|
|
|
a19bc6 |
+ static const cap_value_t bits[] = {
|
|
|
a19bc6 |
+ CAP_SETUID, /* Necessary so that we can run setresuid() below */
|
|
|
a19bc6 |
+ CAP_SETPCAP /* Necessary so that we can set PR_SET_SECUREBITS later on */
|
|
|
a19bc6 |
+ };
|
|
|
a19bc6 |
|
|
|
a19bc6 |
- if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
|
|
|
a19bc6 |
- cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
|
|
|
a19bc6 |
- return -errno;
|
|
|
a19bc6 |
+ d = cap_dup(context->capabilities);
|
|
|
a19bc6 |
+ if (!d)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
|
|
|
a19bc6 |
- if (cap_set_proc(d) < 0)
|
|
|
a19bc6 |
- return -errno;
|
|
|
a19bc6 |
+ if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
|
|
|
a19bc6 |
+ cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (cap_set_proc(d) < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
/* Third step: actually set the uids */
|
|
|
a19bc6 |
@@ -1723,6 +1726,8 @@ static int exec_child(
|
|
|
a19bc6 |
|
|
|
a19bc6 |
if (params->apply_permissions) {
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+ int secure_bits = context->secure_bits;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
for (i = 0; i < _RLIMIT_MAX; i++) {
|
|
|
a19bc6 |
if (!context->rlimit[i])
|
|
|
a19bc6 |
continue;
|
|
|
a19bc6 |
@@ -1750,6 +1755,30 @@ static int exec_child(
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
#endif
|
|
|
a19bc6 |
+ /* This is done before enforce_user, but ambient set
|
|
|
a19bc6 |
+ * does not survive over setresuid() if keep_caps is not set. */
|
|
|
a19bc6 |
+ if (context->capability_ambient_set != 0) {
|
|
|
a19bc6 |
+ r = capability_ambient_set_apply(context->capability_ambient_set, true);
|
|
|
a19bc6 |
+ if (r < 0) {
|
|
|
a19bc6 |
+ *exit_status = EXIT_CAPABILITIES;
|
|
|
a19bc6 |
+ return r;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (context->capabilities) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* The capabilities in ambient set need to be also in the inherited
|
|
|
a19bc6 |
+ * set. If they aren't, trying to get them will fail. Add the ambient
|
|
|
a19bc6 |
+ * set inherited capabilities to the capability set in the context.
|
|
|
a19bc6 |
+ * This is needed because if capabilities are set (using "Capabilities="
|
|
|
a19bc6 |
+ * keyword), they will override whatever we set now. */
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ r = capability_update_inherited_set(context->capabilities, context->capability_ambient_set);
|
|
|
a19bc6 |
+ if (r < 0) {
|
|
|
a19bc6 |
+ *exit_status = EXIT_CAPABILITIES;
|
|
|
a19bc6 |
+ return r;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
|
|
|
a19bc6 |
if (context->user) {
|
|
|
a19bc6 |
r = enforce_user(context, uid);
|
|
|
a19bc6 |
@@ -1757,14 +1786,32 @@ static int exec_child(
|
|
|
a19bc6 |
*exit_status = EXIT_USER;
|
|
|
a19bc6 |
return r;
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
+ if (context->capability_ambient_set != 0) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* Fix the ambient capabilities after user change. */
|
|
|
a19bc6 |
+ r = capability_ambient_set_apply(context->capability_ambient_set, false);
|
|
|
a19bc6 |
+ if (r < 0) {
|
|
|
a19bc6 |
+ *exit_status = EXIT_CAPABILITIES;
|
|
|
a19bc6 |
+ return r;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* If we were asked to change user and ambient capabilities
|
|
|
a19bc6 |
+ * were requested, we had to add keep-caps to the securebits
|
|
|
a19bc6 |
+ * so that we would maintain the inherited capability set
|
|
|
a19bc6 |
+ * through the setresuid(). Make sure that the bit is added
|
|
|
a19bc6 |
+ * also to the context secure_bits so that we don't try to
|
|
|
a19bc6 |
+ * drop the bit away next. */
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ secure_bits |= 1<
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
/* PR_GET_SECUREBITS is not privileged, while
|
|
|
a19bc6 |
* PR_SET_SECUREBITS is. So to suppress
|
|
|
a19bc6 |
* potential EPERMs we'll try not to call
|
|
|
a19bc6 |
* PR_SET_SECUREBITS unless necessary. */
|
|
|
a19bc6 |
- if (prctl(PR_GET_SECUREBITS) != context->secure_bits)
|
|
|
a19bc6 |
- if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) {
|
|
|
a19bc6 |
+ if (prctl(PR_GET_SECUREBITS) != secure_bits)
|
|
|
a19bc6 |
+ if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {
|
|
|
a19bc6 |
*exit_status = EXIT_SECUREBITS;
|
|
|
a19bc6 |
return -errno;
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
@@ -2431,6 +2478,17 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
|
|
a19bc6 |
fputs("\n", f);
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+ if (c->capability_ambient_set != 0) {
|
|
|
a19bc6 |
+ unsigned long l;
|
|
|
a19bc6 |
+ fprintf(f, "%sAmbientCapabilities:", prefix);
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ for (l = 0; l <= cap_last_cap(); l++)
|
|
|
a19bc6 |
+ if (c->capability_ambient_set & (UINT64_C(1) << l))
|
|
|
a19bc6 |
+ fprintf(f, " %s", strna(capability_to_name(l)));
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ fputs("\n", f);
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
if (c->user)
|
|
|
a19bc6 |
fprintf(f, "%sUser: %s\n", prefix, c->user);
|
|
|
a19bc6 |
if (c->group)
|
|
|
a19bc6 |
diff --git a/src/core/execute.h b/src/core/execute.h
|
|
|
181b3f |
index 40f7b794c..00bf99cbe 100644
|
|
|
a19bc6 |
--- a/src/core/execute.h
|
|
|
a19bc6 |
+++ b/src/core/execute.h
|
|
|
a19bc6 |
@@ -152,6 +152,8 @@ struct ExecContext {
|
|
|
a19bc6 |
|
|
|
a19bc6 |
uint64_t capability_bounding_set;
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+ uint64_t capability_ambient_set;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
cap_t capabilities;
|
|
|
a19bc6 |
int secure_bits;
|
|
|
a19bc6 |
|
|
|
a19bc6 |
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
|
|
|
181b3f |
index e4ce29210..f996032cf 100644
|
|
|
a19bc6 |
--- a/src/core/load-fragment-gperf.gperf.m4
|
|
|
a19bc6 |
+++ b/src/core/load-fragment-gperf.gperf.m4
|
|
|
a19bc6 |
@@ -48,6 +48,7 @@ $1.SyslogLevelPrefix, config_parse_bool, 0,
|
|
|
a19bc6 |
$1.Capabilities, config_parse_exec_capabilities, 0, offsetof($1, exec_context)
|
|
|
a19bc6 |
$1.SecureBits, config_parse_exec_secure_bits, 0, offsetof($1, exec_context)
|
|
|
a19bc6 |
$1.CapabilityBoundingSet, config_parse_capability_set, 0, offsetof($1, exec_context.capability_bounding_set)
|
|
|
a19bc6 |
+$1.AmbientCapabilities, config_parse_capability_set, 0, offsetof($1, exec_context.capability_ambient_set)
|
|
|
a19bc6 |
$1.TimerSlackNSec, config_parse_nsec, 0, offsetof($1, exec_context.timer_slack_nsec)
|
|
|
a19bc6 |
$1.NoNewPrivileges, config_parse_no_new_privileges, 0, offsetof($1, exec_context)
|
|
|
a19bc6 |
m4_ifdef(`HAVE_SECCOMP',
|
|
|
a19bc6 |
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
|
|
|
181b3f |
index dbaaf2fee..7d1ac6c25 100644
|
|
|
a19bc6 |
--- a/src/core/load-fragment.c
|
|
|
a19bc6 |
+++ b/src/core/load-fragment.c
|
|
|
a19bc6 |
@@ -61,6 +61,7 @@
|
|
|
a19bc6 |
#include "af-list.h"
|
|
|
a19bc6 |
#include "cap-list.h"
|
|
|
a19bc6 |
#include "bus-internal.h"
|
|
|
a19bc6 |
+#include "capability.h"
|
|
|
a19bc6 |
|
|
|
a19bc6 |
#ifdef HAVE_SECCOMP
|
|
|
a19bc6 |
#include "seccomp-util.h"
|
|
|
a19bc6 |
@@ -1044,6 +1045,7 @@ int config_parse_capability_set(
|
|
|
a19bc6 |
|
|
|
a19bc6 |
if (strcmp(lvalue, "CapabilityBoundingSet") == 0)
|
|
|
a19bc6 |
initial = CAP_ALL; /* initialized to all bits on */
|
|
|
a19bc6 |
+ /* else "AmbientCapabilities" initialized to all bits off */
|
|
|
a19bc6 |
|
|
|
a19bc6 |
p = rvalue;
|
|
|
a19bc6 |
for (;;) {
|
|
|
a19bc6 |
@@ -1062,7 +1064,7 @@ int config_parse_capability_set(
|
|
|
a19bc6 |
|
|
|
a19bc6 |
cap = capability_from_name(word);
|
|
|
a19bc6 |
if (cap < 0) {
|
|
|
a19bc6 |
- log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse capability in bounding set, ignoring: %s", word);
|
|
|
a19bc6 |
+ log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse capability in bounding/ambient set, ignoring: %s", word);
|
|
|
a19bc6 |
continue;
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
diff --git a/src/shared/capability.c b/src/shared/capability.c
|
|
|
181b3f |
index 3ed31df5a..6e3d7d22e 100644
|
|
|
a19bc6 |
--- a/src/shared/capability.c
|
|
|
a19bc6 |
+++ b/src/shared/capability.c
|
|
|
a19bc6 |
@@ -98,6 +98,61 @@ unsigned long cap_last_cap(void) {
|
|
|
a19bc6 |
return p;
|
|
|
a19bc6 |
}
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+int capability_update_inherited_set(cap_t caps, uint64_t set) {
|
|
|
a19bc6 |
+ unsigned long i;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* Add capabilities in the set to the inherited caps. Do not apply
|
|
|
a19bc6 |
+ * them yet. */
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ for (i = 0; i < cap_last_cap(); i++) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (set & (UINT64_C(1) << i)) {
|
|
|
a19bc6 |
+ cap_value_t v;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ v = (cap_value_t) i;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* Make the capability inheritable. */
|
|
|
a19bc6 |
+ if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ return 0;
|
|
|
a19bc6 |
+}
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
|
|
|
a19bc6 |
+ unsigned long i;
|
|
|
a19bc6 |
+ _cleanup_cap_free_ cap_t caps = NULL;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* Add the capabilities to the ambient set. */
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (also_inherit) {
|
|
|
a19bc6 |
+ int r;
|
|
|
a19bc6 |
+ caps = cap_get_proc();
|
|
|
a19bc6 |
+ if (!caps)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ r = capability_update_inherited_set(caps, set);
|
|
|
a19bc6 |
+ if (r < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (cap_set_proc(caps) < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ for (i = 0; i < cap_last_cap(); i++) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ if (set & (UINT64_C(1) << i)) {
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ /* Add the capability to the ambient set. */
|
|
|
a19bc6 |
+ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
|
|
|
a19bc6 |
+ return -errno;
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+ }
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+ return 0;
|
|
|
a19bc6 |
+}
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
int capability_bounding_set_drop(uint64_t keep, bool right_now) {
|
|
|
a19bc6 |
_cleanup_cap_free_ cap_t after_cap = NULL;
|
|
|
a19bc6 |
cap_flag_value_t fv;
|
|
|
a19bc6 |
diff --git a/src/shared/capability.h b/src/shared/capability.h
|
|
|
181b3f |
index 04cd6e54e..76a756856 100644
|
|
|
a19bc6 |
--- a/src/shared/capability.h
|
|
|
a19bc6 |
+++ b/src/shared/capability.h
|
|
|
a19bc6 |
@@ -36,6 +36,9 @@ int capability_bounding_set_drop_usermode(uint64_t keep);
|
|
|
a19bc6 |
|
|
|
a19bc6 |
int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites);
|
|
|
a19bc6 |
|
|
|
a19bc6 |
+int capability_ambient_set_apply(uint64_t set, bool also_inherit);
|
|
|
a19bc6 |
+int capability_update_inherited_set(cap_t caps, uint64_t ambient_set);
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
int drop_capability(cap_value_t cv);
|
|
|
a19bc6 |
|
|
|
a19bc6 |
DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free);
|
|
|
a19bc6 |
diff --git a/src/shared/missing.h b/src/shared/missing.h
|
|
|
181b3f |
index 4b36a9c93..a7771bc99 100644
|
|
|
a19bc6 |
--- a/src/shared/missing.h
|
|
|
a19bc6 |
+++ b/src/shared/missing.h
|
|
|
a19bc6 |
@@ -1004,3 +1004,19 @@ static inline int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, uns
|
|
|
a19bc6 |
#ifndef KCMP_FILE
|
|
|
a19bc6 |
#define KCMP_FILE 0
|
|
|
a19bc6 |
#endif
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+#ifndef PR_CAP_AMBIENT
|
|
|
a19bc6 |
+#define PR_CAP_AMBIENT 47
|
|
|
a19bc6 |
+#endif
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+#ifndef PR_CAP_AMBIENT_IS_SET
|
|
|
a19bc6 |
+#define PR_CAP_AMBIENT_IS_SET 1
|
|
|
a19bc6 |
+#endif
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+#ifndef PR_CAP_AMBIENT_RAISE
|
|
|
a19bc6 |
+#define PR_CAP_AMBIENT_RAISE 2
|
|
|
a19bc6 |
+#endif
|
|
|
a19bc6 |
+
|
|
|
a19bc6 |
+#ifndef PR_CAP_AMBIENT_CLEAR_ALL
|
|
|
a19bc6 |
+#define PR_CAP_AMBIENT_CLEAR_ALL 4
|
|
|
a19bc6 |
+#endif
|
|
|
a19bc6 |
diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c
|
|
|
181b3f |
index 38ecfe972..cfa3d2316 100644
|
|
|
a19bc6 |
--- a/src/test/test-unit-file.c
|
|
|
a19bc6 |
+++ b/src/test/test-unit-file.c
|
|
|
a19bc6 |
@@ -38,6 +38,7 @@
|
|
|
a19bc6 |
#include "strv.h"
|
|
|
a19bc6 |
#include "fileio.h"
|
|
|
a19bc6 |
#include "test-helper.h"
|
|
|
a19bc6 |
+#include "capability.h"
|
|
|
a19bc6 |
|
|
|
a19bc6 |
static int test_unit_file_get_set(void) {
|
|
|
a19bc6 |
int r;
|