31a7291c90577c24ce57238e2c7aced42524ceda
[strongswan.git] / src / libstrongswan / utils / capabilities.c
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 * Copyright (C) 2012 Martin Willi
5 * Copyright (C) 2012 revosec AG
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "capabilities.h"
19
20 #include <errno.h>
21 #include <string.h>
22 #include <sys/types.h>
23 #include <pwd.h>
24 #include <grp.h>
25 #include <unistd.h>
26 #ifdef HAVE_PRCTL
27 # include <sys/prctl.h>
28 #endif /* HAVE_PRCTL */
29
30 #include <utils/debug.h>
31
32 #if !defined(HAVE_GETPWNAM_R) || \
33 !defined(HAVE_GETGRNAM_R) || \
34 !defined(HAVE_GETPWUID_R)
35 # include <threading/mutex.h>
36 # define EMULATE_R_FUNCS
37 #endif
38
39 typedef struct private_capabilities_t private_capabilities_t;
40
41 /**
42 * Private data of an capabilities_t object.
43 */
44 struct private_capabilities_t {
45
46 /**
47 * Public capabilities_t interface.
48 */
49 capabilities_t public;
50
51 /**
52 * user ID to switch during rights dropping
53 */
54 uid_t uid;
55
56 /**
57 * group ID to switch during rights dropping
58 */
59 gid_t gid;
60
61 /**
62 * capabilities to keep
63 */
64 #ifdef CAPABILITIES_LIBCAP
65 cap_t caps;
66 #endif /* CAPABILITIES_LIBCAP */
67 #ifdef CAPABILITIES_NATIVE
68 struct __user_cap_data_struct caps[2];
69 #endif /* CAPABILITIES_NATIVE */
70
71 #ifdef EMULATE_R_FUNCS
72 /**
73 * mutex to emulate get(pw|gr)nam_r functions
74 */
75 mutex_t *mutex;
76 #endif
77 };
78
79 /**
80 * Returns TRUE if the current process/user is member of the given group
81 */
82 static bool has_group(gid_t group)
83 {
84 gid_t *groups;
85 long ngroups, i;
86 bool found = FALSE;
87
88 if (group == getegid())
89 { /* it's unspecified if this is part of the list below or not */
90 return TRUE;
91 }
92 ngroups = sysconf(_SC_NGROUPS_MAX);
93 groups = calloc(ngroups, sizeof(gid_t));
94 ngroups = getgroups(ngroups, groups);
95 if (ngroups == -1)
96 {
97 DBG1(DBG_LIB, "getting groups for current process failed: %s",
98 strerror(errno));
99 return FALSE;
100 }
101 for (i = 0; i < ngroups; i++)
102 {
103 if (group == groups[i])
104 {
105 found = TRUE;
106 break;
107 }
108 }
109 free(groups);
110 return found;
111 }
112
113 /**
114 * Verify that the current process has the given capability
115 */
116 static bool has_capability(private_capabilities_t *this, u_int cap,
117 bool *ignore)
118 {
119 if (cap == CAP_CHOWN)
120 { /* if new files/UNIX sockets are created they should be owned by the
121 * configured user and group. This requires a call to chown(2). But
122 * CAP_CHOWN is not always required. */
123 if (!this->uid || geteuid() == this->uid)
124 { /* if the owner does not change CAP_CHOWN is not needed */
125 if (!this->gid || has_group(this->gid))
126 { /* the same applies if the owner is a member of the group */
127 if (ignore)
128 { /* we don't have to keep this, if requested */
129 *ignore = TRUE;
130 }
131 return TRUE;
132 }
133 }
134 }
135 #ifndef CAPABILITIES
136 /* if we can't check the actual capabilities assume only root has it */
137 return geteuid() == 0;
138 #endif /* !CAPABILITIES */
139 #ifdef CAPABILITIES_LIBCAP
140 cap_flag_value_t val;
141 cap_t caps;
142 bool ok;
143
144 caps = cap_get_proc();
145 if (!caps)
146 {
147 return FALSE;
148 }
149 ok = cap_get_flag(caps, cap, CAP_PERMITTED, &val) == 0 && val == CAP_SET;
150 cap_free(caps);
151 return ok;
152 #endif /* CAPABILITIES_LIBCAP */
153 #ifdef CAPABILITIES_NATIVE
154 struct __user_cap_header_struct header = {
155 #if defined(_LINUX_CAPABILITY_VERSION_3)
156 .version = _LINUX_CAPABILITY_VERSION_3,
157 #elif defined(_LINUX_CAPABILITY_VERSION_2)
158 .version = _LINUX_CAPABILITY_VERSION_2,
159 #elif defined(_LINUX_CAPABILITY_VERSION_1)
160 .version = _LINUX_CAPABILITY_VERSION_1,
161 #else
162 .version = _LINUX_CAPABILITY_VERSION,
163 #endif
164 };
165 struct __user_cap_data_struct caps[2];
166 int i = 0;
167
168 if (cap >= 32)
169 {
170 i++;
171 cap -= 32;
172 }
173 return capget(&header, caps) == 0 && caps[i].permitted & (1 << cap);
174 #endif /* CAPABILITIES_NATIVE */
175 }
176
177 /**
178 * Keep the given capability if it is held by the current process. Returns
179 * FALSE, if this is not the case.
180 */
181 static bool keep_capability(private_capabilities_t *this, u_int cap)
182 {
183 #ifdef CAPABILITIES_LIBCAP
184 cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
185 cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
186 cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
187 #endif /* CAPABILITIES_LIBCAP */
188 #ifdef CAPABILITIES_NATIVE
189 int i = 0;
190
191 if (cap >= 32)
192 {
193 i++;
194 cap -= 32;
195 }
196 this->caps[i].effective |= 1 << cap;
197 this->caps[i].permitted |= 1 << cap;
198 this->caps[i].inheritable |= 1 << cap;
199 #endif /* CAPABILITIES_NATIVE */
200 return TRUE;
201 }
202
203 METHOD(capabilities_t, keep, bool,
204 private_capabilities_t *this, u_int cap)
205 {
206 bool ignore = FALSE;
207
208 if (!has_capability(this, cap, &ignore))
209 {
210 return FALSE;
211 }
212 else if (ignore)
213 { /* don't keep capabilities that are not required */
214 return TRUE;
215 }
216 return keep_capability(this, cap);
217 }
218
219 METHOD(capabilities_t, check, bool,
220 private_capabilities_t *this, u_int cap)
221 {
222 return has_capability(this, cap, NULL);
223 }
224
225 METHOD(capabilities_t, get_uid, uid_t,
226 private_capabilities_t *this)
227 {
228 return this->uid ?: geteuid();
229 }
230
231 METHOD(capabilities_t, get_gid, gid_t,
232 private_capabilities_t *this)
233 {
234 return this->gid ?: getegid();
235 }
236
237 METHOD(capabilities_t, set_uid, void,
238 private_capabilities_t *this, uid_t uid)
239 {
240 this->uid = uid;
241 }
242
243 METHOD(capabilities_t, set_gid, void,
244 private_capabilities_t *this, gid_t gid)
245 {
246 this->gid = gid;
247 }
248
249 METHOD(capabilities_t, resolve_uid, bool,
250 private_capabilities_t *this, char *username)
251 {
252 struct passwd *pwp;
253 int err;
254
255 #ifdef HAVE_GETPWNAM_R
256 struct passwd passwd;
257 char buf[1024];
258
259 err = getpwnam_r(username, &passwd, buf, sizeof(buf), &pwp);
260 if (pwp)
261 {
262 this->uid = pwp->pw_uid;
263 }
264 #else /* HAVE GETPWNAM_R */
265 this->mutex->lock(this->mutex);
266 pwp = getpwnam(username);
267 if (pwp)
268 {
269 this->uid = pwp->pw_uid;
270 }
271 err = errno;
272 this->mutex->unlock(this->mutex);
273 #endif /* HAVE GETPWNAM_R */
274 if (pwp)
275 {
276 return TRUE;
277 }
278 DBG1(DBG_LIB, "resolving user '%s' failed: %s", username,
279 err ? strerror(err) : "user not found");
280 return FALSE;
281 }
282
283 METHOD(capabilities_t, resolve_gid, bool,
284 private_capabilities_t *this, char *groupname)
285 {
286 struct group *grp;
287 int err;
288
289 #ifdef HAVE_GETGRNAM_R
290 struct group group;
291 char buf[1024];
292
293 err = getgrnam_r(groupname, &group, buf, sizeof(buf), &grp);
294 if (grp)
295 {
296 this->gid = grp->gr_gid;
297 }
298 #else /* HAVE_GETGRNAM_R */
299 this->mutex->lock(this->mutex);
300 grp = getgrnam(groupname);
301 if (grp)
302 {
303 this->gid = grp->gr_gid;
304 }
305 err = errno;
306 this->mutex->unlock(this->mutex);
307 #endif /* HAVE_GETGRNAM_R */
308 if (grp)
309 {
310 return TRUE;
311 }
312 DBG1(DBG_LIB, "resolving user '%s' failed: %s", groupname,
313 err ? strerror(err) : "group not found");
314 return FALSE;
315 }
316
317 /**
318 * Initialize supplementary groups for unprivileged user
319 */
320 static bool init_supplementary_groups(private_capabilities_t *this)
321 {
322 struct passwd *pwp;
323 int res = -1;
324
325 #ifdef HAVE_GETPWUID_R
326 struct passwd pwd;
327 char buf[1024];
328
329 if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp)
330 {
331 res = initgroups(pwp->pw_name, this->gid);
332 }
333 #else /* HAVE_GETPWUID_R */
334 this->mutex->lock(this->mutex);
335 pwp = getpwuid(this->uid);
336 if (pwp)
337 {
338 res = initgroups(pwp->pw_name, this->gid);
339 }
340 this->mutex->unlock(this->mutex);
341 #endif /* HAVE_GETPWUID_R */
342 return res == 0;
343 }
344
345 METHOD(capabilities_t, drop, bool,
346 private_capabilities_t *this)
347 {
348 #ifdef HAVE_PRCTL
349 prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
350 #endif
351
352 if (this->uid && !init_supplementary_groups(this))
353 {
354 DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
355 this->uid);
356 return FALSE;
357 }
358 if (this->gid && setgid(this->gid) != 0)
359 {
360 DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
361 this->gid, strerror(errno));
362 return FALSE;
363 }
364 if (this->uid && setuid(this->uid) != 0)
365 {
366 DBG1(DBG_LIB, "change to unprivileged user %u failed: %s",
367 this->uid, strerror(errno));
368 return FALSE;
369 }
370
371 #ifdef CAPABILITIES_LIBCAP
372 if (cap_set_proc(this->caps) != 0)
373 {
374 DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
375 return FALSE;
376 }
377 #endif /* CAPABILITIES_LIBCAP */
378 #ifdef CAPABILITIES_NATIVE
379 struct __user_cap_header_struct header = {
380 #if defined(_LINUX_CAPABILITY_VERSION_3)
381 .version = _LINUX_CAPABILITY_VERSION_3,
382 #elif defined(_LINUX_CAPABILITY_VERSION_2)
383 .version = _LINUX_CAPABILITY_VERSION_2,
384 #elif defined(_LINUX_CAPABILITY_VERSION_1)
385 .version = _LINUX_CAPABILITY_VERSION_1,
386 #else
387 .version = _LINUX_CAPABILITY_VERSION,
388 #endif
389 };
390 if (capset(&header, this->caps) != 0)
391 {
392 DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno));
393 return FALSE;
394 }
395 #endif /* CAPABILITIES_NATIVE */
396 #ifdef CAPABILITIES
397 DBG1(DBG_LIB, "dropped capabilities, running as uid %u, gid %u",
398 geteuid(), getegid());
399 #endif /* CAPABILITIES */
400 return TRUE;
401 }
402
403 METHOD(capabilities_t, destroy, void,
404 private_capabilities_t *this)
405 {
406 #ifdef EMULATE_R_FUNCS
407 this->mutex->destroy(this->mutex);
408 #endif /* EMULATE_R_FUNCS */
409 #ifdef CAPABILITIES_LIBCAP
410 cap_free(this->caps);
411 #endif /* CAPABILITIES_LIBCAP */
412 free(this);
413 }
414
415 /**
416 * See header
417 */
418 capabilities_t *capabilities_create()
419 {
420 private_capabilities_t *this;
421
422 INIT(this,
423 .public = {
424 .keep = _keep,
425 .check = _check,
426 .get_uid = _get_uid,
427 .get_gid = _get_gid,
428 .set_uid = _set_uid,
429 .set_gid = _set_gid,
430 .resolve_uid = _resolve_uid,
431 .resolve_gid = _resolve_gid,
432 .drop = _drop,
433 .destroy = _destroy,
434 },
435 );
436
437 #ifdef CAPABILITIES_LIBCAP
438 this->caps = cap_init();
439 #endif /* CAPABILITIES_LIBCAP */
440
441 #ifdef EMULATE_R_FUNCS
442 this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
443 #endif /* EMULATE_R_FUNCS */
444
445 return &this->public;
446 }