You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

76 lines
2.4 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #include "config.h"
  23. #include <cstring>
  24. #include <stdexcept>
  25. #ifdef HAVE_LIBCAP
  26. #include <sys/capability.h>
  27. #endif
  28. #include "capabilities.hh"
  29. #include "misc.hh"
  30. void dropCapabilities(std::set<std::string> capabilitiesToKeep)
  31. {
  32. #ifdef HAVE_LIBCAP
  33. cap_t caps = cap_get_proc();
  34. if (caps != nullptr) {
  35. cap_clear(caps);
  36. if (!capabilitiesToKeep.empty()) {
  37. std::vector<cap_value_t> toKeep;
  38. toKeep.reserve(capabilitiesToKeep.size());
  39. for (const auto& capToKeep : capabilitiesToKeep) {
  40. cap_value_t value;
  41. int res = cap_from_name(capToKeep.c_str(), &value);
  42. if (res != 0) {
  43. cap_free(caps);
  44. throw std::runtime_error("Unable to convert capability name '" + capToKeep + "': " + stringerror());
  45. }
  46. toKeep.push_back(value);
  47. }
  48. if (cap_set_flag(caps, CAP_EFFECTIVE, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
  49. cap_free(caps);
  50. throw std::runtime_error("Unable to set effective flag capabilities: " + stringerror());
  51. }
  52. if (cap_set_flag(caps, CAP_PERMITTED, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
  53. cap_free(caps);
  54. throw std::runtime_error("Unable to set permitted flag capabilities: " + stringerror());
  55. }
  56. }
  57. if (cap_set_proc(caps) != 0) {
  58. cap_free(caps);
  59. throw std::runtime_error("Unable to drop capabilities: " + stringerror());
  60. }
  61. cap_free(caps);
  62. }
  63. #endif /* HAVE_LIBCAP */
  64. }