Skip to content

Commit

Permalink
UTILS: add capabilities management helpers
Browse files Browse the repository at this point in the history
  • Loading branch information
alexey-tikhonov committed Sep 3, 2023
1 parent 93fdda4 commit ff3c89f
Show file tree
Hide file tree
Showing 6 changed files with 60 additions and 0 deletions.
3 changes: 3 additions & 0 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -1306,6 +1306,7 @@ libsss_util_la_CFLAGS = \
libsss_util_la_LIBADD = \
$(LIBADD_TIMER) \
$(SSSD_LIBS) \
$(CAP_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(UNICODE_LIBS) \
$(PCRE_LIBS) \
Expand Down Expand Up @@ -4698,6 +4699,7 @@ krb5_child_LDADD = \
$(CLIENT_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(JANSSON_LIBS) \
$(CAP_LIBS) \
$(NULL)

ldap_child_SOURCES = \
Expand All @@ -4723,6 +4725,7 @@ ldap_child_LDADD = \
libsss_debug.la \
$(TALLOC_LIBS) \
$(POPT_LIBS) \
$(CAP_LIBS) \
$(DHASH_LIBS) \
$(KRB5_LIBS)

Expand Down
7 changes: 7 additions & 0 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,13 @@ AS_IF([test x$have_check = x], [
AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers]))
])

PKG_CHECK_MODULES([CAP], [libcap], [have_libcap=1], [have_libcap=])
AS_IF([test x$have_libcap = x], [
AC_MSG_ERROR([libcap is missing])
], [
AC_CHECK_HEADERS([sys/capability.h],,AC_MSG_ERROR([Could not find sys/capability.h headers]))
])

AC_PATH_PROG([DOXYGEN], [doxygen], [false])
AM_CONDITIONAL([HAVE_DOXYGEN], [test x$DOXYGEN != xfalse ])

Expand Down
2 changes: 2 additions & 0 deletions contrib/ci/deps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
krb5-server
krb5-workstation
libunistring-devel
libcap-devel
)

if [[ "$DISTRO_BRANCH" == -redhat-fedora-31* ||
Expand Down Expand Up @@ -183,6 +184,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
libp11-kit-dev
bc
libunistring-dev
libcap-dev
)

DEPS_INTGCHECK_SATISFIED=true
Expand Down
1 change: 1 addition & 0 deletions contrib/sssd.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ BuildRequires: gettext-devel
# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: keyutils-libs-devel
Expand Down
45 changes: 45 additions & 0 deletions src/util/become_user.c
Original file line number Diff line number Diff line change
Expand Up @@ -210,3 +210,48 @@ errno_t restore_creds(struct sss_creds *saved_creds)
saved_creds->num_gids,
saved_creds->gids, NULL);
}

errno_t sss_drop_cap(cap_value_t cap)
{
int ret;

cap_t caps = cap_get_proc();
if (caps == NULL) {
ret = errno;
DEBUG(SSSDBG_TRACE_FUNC, "cap_get_proc() failed: %d ('%s')\n",
ret, strerror(ret));
return ret;
}
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, 0) == -1) {
ret = errno;
DEBUG(SSSDBG_TRACE_FUNC,
"cap_set_flag(CAP_EFFECTIVE) failed: %d ('%s')\n",
ret, strerror(ret));
goto done;
}
if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, 0) == -1) {
ret = errno;
DEBUG(SSSDBG_TRACE_FUNC,
"cap_set_flag(CAP_PERMITTED) failed: %d ('%s')\n",
ret, strerror(ret));
goto done;
}
if (cap_set_proc(caps) == -1) {
ret = errno;
DEBUG(SSSDBG_TRACE_FUNC, "cap_set_proc() failed: %d ('%s')\n",
ret, strerror(ret));
goto done;
}

ret = 0;

done:
if (cap_free(caps) == -1) {
if (ret == 0) {
ret = errno;
}
DEBUG(SSSDBG_TRACE_FUNC, "cap_free() failed\n");
}

return ret;
}
2 changes: 2 additions & 0 deletions src/util/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
#include <netinet/in.h>
#include <limits.h>
#include <sys/un.h>
#include <sys/capability.h>

#include <talloc.h>
#include <tevent.h>
Expand Down Expand Up @@ -751,6 +752,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
int num_gids, gid_t *gids,
struct sss_creds **saved_creds);
errno_t restore_creds(struct sss_creds *saved_creds);
errno_t sss_drop_cap(cap_value_t cap);

/* from sss_semanage.c */
/* Please note that libsemange relies on files and directories created with
Expand Down

0 comments on commit ff3c89f

Please sign in to comment.