simplified capability dropping
authorMartin Willi <martin@strongswan.org>
Wed, 9 May 2007 13:12:06 +0000 (13:12 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 9 May 2007 13:12:06 +0000 (13:12 -0000)
src/charon/control/interfaces/dbus_interface.c
src/charon/control/interfaces/stroke_interface.c
src/charon/daemon.c
src/charon/daemon.h
src/charon/kernel/kernel_interface.c
src/charon/network/receiver.c
src/charon/network/sender.c
src/charon/processing/scheduler.c
src/charon/processing/thread_pool.c

index 8f048ba..5d525f2 100644 (file)
@@ -338,8 +338,7 @@ static DBusHandlerResult signal_handler(DBusConnection *con, DBusMessage *msg,
  */
 static void dispatch(private_dbus_interface_t *this)
 {
-       /* drop threads capabilities */
-       charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
 
        while (dbus_connection_read_write_dispatch(this->conn, -1))
        {
index 26a031b..96dcc76 100755 (executable)
@@ -1535,8 +1535,7 @@ static void stroke_receive(private_stroke_interface_t *this)
        int oldstate;
        int strokefd;
        
-       /* drop threads capabilities, keep NET_ADMIN to query use times for status */
-       charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
        
        /* ignore sigpipe. writing over the pipe back to the console
         * only fails if SIGPIPE is ignored. */
index 4677252..62e29b3 100644 (file)
@@ -224,19 +224,23 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 /**
  * drop daemon capabilities
  */
-static void drop_capabilities(private_daemon_t *this, bool change_uid,
-                                                         bool netlink, bool bind)
+static void drop_capabilities(private_daemon_t *this, bool full)
 {
        struct __user_cap_header_struct hdr;
        struct __user_cap_data_struct data;
-       u_int32_t keep = 0;
+       /* CAP_NET_ADMIN is needed to use netlink */
+       u_int32_t keep = (1<<CAP_NET_ADMIN);
        
-       if (netlink)
+       if (full)
        {
-               /* CAP_NET_ADMIN is needed to use netlink */
-               keep |= (1<<CAP_NET_ADMIN);
+#              if IPSEC_GID
+                       setgid(IPSEC_GID);
+#              endif
+#              if IPSEC_UID
+                       setuid(IPSEC_UID);
+#              endif
        }
-       if (bind)
+       else
        {
                /* CAP_NET_BIND_SERVICE to bind services below port 1024, 
                 * CAP_NET_RAW to create RAW sockets.
@@ -245,22 +249,12 @@ static void drop_capabilities(private_daemon_t *this, bool change_uid,
                keep |= (1<<CAP_NET_RAW);
                keep |= (1<<CAP_DAC_READ_SEARCH);
        }
-       
+
        hdr.version = _LINUX_CAPABILITY_VERSION;
        hdr.pid = 0;
        data.effective = data.permitted = keep;
        data.inheritable = 0;
        
-       if (change_uid)
-       {
-#              if IPSEC_GID
-                       setgid(IPSEC_GID);
-#              endif
-#              if IPSEC_UID
-                       setuid(IPSEC_UID);
-#              endif
-       }
-       
        if (capset(&hdr, &data))
        {
                kill_daemon(this, "unable to drop threads capabilities");
@@ -372,7 +366,7 @@ private_daemon_t *daemon_create(void)
                
        /* assign methods */
        this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
-       this->public.drop_capabilities = (void(*)(daemon_t*,bool,bool,bool))drop_capabilities;
+       this->public.drop_capabilities = (void(*)(daemon_t*,bool))drop_capabilities;
        
        /* NULL members for clean destruction */
        this->public.socket = NULL;
@@ -458,8 +452,8 @@ int main(int argc, char *argv[])
        
        prctl(PR_SET_KEEPCAPS, 1);
        
-       /* keep bind() and netlink capabilities, stay as root until all files loaded */
-       drop_capabilities(NULL, FALSE, TRUE, TRUE);
+       /* drop the capabilities we won't need at all */
+       drop_capabilities(NULL, FALSE);
        
        /* use CTRL loglevel for default */
        for (signal = 0; signal < DBG_MAX; signal++)
@@ -534,9 +528,6 @@ int main(int argc, char *argv[])
        
        /* initialize daemon */
        initialize(private_charon, use_syslog, levels);
-       
-       /* drop bind() capability, netlink is needed for cleanup */
-       drop_capabilities(private_charon, FALSE, TRUE, FALSE);
 
        /* load pluggable EAP modules */
        eap_method_load(eapdir);
@@ -568,8 +559,8 @@ int main(int argc, char *argv[])
        }
        list->destroy(list);
        
-       /* change UID */
-       drop_capabilities(private_charon, TRUE, TRUE, FALSE);
+       /* drop additional capabilites (bind & root) */
+       drop_capabilities(private_charon, TRUE);
        
        /* run daemon */
        run(private_charon);
index f8add30..640bc6a 100644 (file)
@@ -422,12 +422,9 @@ struct daemon_t {
         * @brief Let the calling thread drop its capabilities.
         * 
         * @param this                  calling daemon
-        * @param change_uid    TRUE to change UID/GID to IPSEC_UID/IPSEC_GID
-        * @param netlink               TRUE to keep CAP_NET_ADMIN (using netlink)
-        * @param bind                  TRUE to keep CAP_NET_BIND_SERVICE and CAP_NET_RAW
+        * @param full                  TRUE to drop as many as possible
         */
-       void (*drop_capabilities) (daemon_t *this, bool change_uid,
-                                                          bool netlink, bool bind);
+       void (*drop_capabilities) (daemon_t *this, bool full);
        
        /**
         * @brief Shut down the daemon.
index c68c504..4aabded 100644 (file)
@@ -446,8 +446,7 @@ static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
  */
 static void receive_events(private_kernel_interface_t *this)
 {
-       /* keep netlink capabilities only */
-       charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
 
        while(TRUE) 
        {
index abb7105..dfb7429 100644 (file)
@@ -254,8 +254,7 @@ static void receive_packets(private_receiver_t *this)
        DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", 
                 (int)pthread_self());
        
-       /* drop threads capabilities */
-       charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
        
        while (TRUE)
        {
index 37e60b6..933b8c1 100644 (file)
@@ -88,8 +88,7 @@ static void send_packets(private_sender_t * this)
        pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
        DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
        
-       /* drop threads capabilities */
-       charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
 
        while (TRUE)
        {
index 2fb4e16..7249e43 100644 (file)
@@ -60,8 +60,7 @@ static void get_events(private_scheduler_t * this)
        DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", 
                 (int)pthread_self());
 
-       /* drop threads capabilities */
-       charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
 
        while (TRUE)
        {
index 09e1707..a9891da 100644 (file)
@@ -73,8 +73,7 @@ static void process_jobs(private_thread_pool_t *this)
        DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
                 (int)pthread_self());
        
-       /* drop threads capabilities, except CAP_NET_ADMIN */
-       charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+       charon->drop_capabilities(charon, TRUE);
        
        while (TRUE)
        {