mirror of https://github.com/rd235/cado
portability fix (support missing PR_CAP_AMBIENT)
This commit is contained in:
parent
499a930cd3
commit
32660373c8
|
@ -28,6 +28,7 @@ install-exec-hook:
|
||||||
chmod g+s $(DESTDIR)$(bindir)/scado
|
chmod g+s $(DESTDIR)$(bindir)/scado
|
||||||
chown cado $(DESTDIR)$(bindir)/cado
|
chown cado $(DESTDIR)$(bindir)/cado
|
||||||
chmod u+s $(DESTDIR)$(bindir)/cado
|
chmod u+s $(DESTDIR)$(bindir)/cado
|
||||||
|
ldconfig $(DESTDIR)$(libdir)
|
||||||
$(DESTDIR)$(bindir)/cado -s
|
$(DESTDIR)$(bindir)/cado -s
|
||||||
|
|
||||||
CLEANFILES = cado_paths.h
|
CLEANFILES = cado_paths.h
|
||||||
|
|
|
@ -51,7 +51,7 @@ static int groupmatch (char *group, char **grouplist) {
|
||||||
|
|
||||||
/* execs security, children must drop their capabilities */
|
/* execs security, children must drop their capabilities */
|
||||||
static int drop_capabilities(void *useless) {
|
static int drop_capabilities(void *useless) {
|
||||||
return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
|
return drop_all_ambient_cap();
|
||||||
}
|
}
|
||||||
|
|
||||||
/* get_authorized_caps returns the set of authorized capabilities
|
/* get_authorized_caps returns the set of authorized capabilities
|
||||||
|
|
|
@ -35,6 +35,9 @@
|
||||||
#ifndef PR_CAP_AMBIENT_LOWER
|
#ifndef PR_CAP_AMBIENT_LOWER
|
||||||
#define PR_CAP_AMBIENT_LOWER 3
|
#define PR_CAP_AMBIENT_LOWER 3
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef PR_CAP_AMBIENT_CLEAR_ALL
|
||||||
|
#define PR_CAP_AMBIENT_CLEAR_ALL 4
|
||||||
|
#endif
|
||||||
|
|
||||||
/* set the ambient capabilities to match the bitmap capset.
|
/* set the ambient capabilities to match the bitmap capset.
|
||||||
the capability #k is active if and only if the (k+1)-th least significative bit in capset is 1.
|
the capability #k is active if and only if the (k+1)-th least significative bit in capset is 1.
|
||||||
|
@ -88,6 +91,10 @@ void drop_ambient_cap(uint64_t capset) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int drop_all_ambient_cap(void) {
|
||||||
|
return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
|
||||||
|
}
|
||||||
|
|
||||||
/* turn cap_dac_read_search on and off to have "extra" powers only when needed */
|
/* turn cap_dac_read_search on and off to have "extra" powers only when needed */
|
||||||
void raise_cap_dac_read_search(void) {
|
void raise_cap_dac_read_search(void) {
|
||||||
cap_value_t cap=CAP_DAC_READ_SEARCH;
|
cap_value_t cap=CAP_DAC_READ_SEARCH;
|
||||||
|
@ -102,3 +109,4 @@ void lower_cap_dac_read_search(void) {
|
||||||
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR);
|
cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR);
|
||||||
cap_set_proc(caps);
|
cap_set_proc(caps);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,8 @@ void set_ambient_cap(uint64_t capset);
|
||||||
|
|
||||||
void drop_ambient_cap(uint64_t capset);
|
void drop_ambient_cap(uint64_t capset);
|
||||||
|
|
||||||
|
int drop_all_ambient_cap(void);
|
||||||
|
|
||||||
void raise_cap_dac_read_search(void);
|
void raise_cap_dac_read_search(void);
|
||||||
|
|
||||||
void lower_cap_dac_read_search(void);
|
void lower_cap_dac_read_search(void);
|
||||||
|
|
Loading…
Reference in New Issue