Annotation of embedaddon/bird2/sysdep/linux/syspriv.h, revision 1.1.1.1
1.1 misho 1: #ifndef _BIRD_SYSPRIV_H_
2: #define _BIRD_SYSPRIV_H_
3:
4: #ifndef _GNU_SOURCE
5: #define _GNU_SOURCE
6: #endif
7:
8: #include <unistd.h>
9: #include <sys/prctl.h>
10: #include <linux/capability.h>
11:
12: #ifndef _LINUX_CAPABILITY_VERSION_3
13: #define _LINUX_CAPABILITY_VERSION_3 0x20080522
14: #define _LINUX_CAPABILITY_U32S_3 2
15: #endif
16:
17: /* CAP_TO_MASK is missing in CentOS header files */
18: #ifndef CAP_TO_MASK
19: #define CAP_TO_MASK(x) (1 << ((x) & 31))
20: #endif
21:
22: /* capset() prototype is missing ... */
23: int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
24:
25: static inline int
26: set_capabilities(u32 caps)
27: {
28: struct __user_cap_header_struct cap_hdr;
29: struct __user_cap_data_struct cap_dat[_LINUX_CAPABILITY_U32S_3];
30: int err;
31:
32: cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
33: cap_hdr.pid = 0;
34:
35: memset(cap_dat, 0, sizeof(cap_dat));
36: cap_dat[0].effective = cap_dat[0].permitted = caps;
37:
38: err = capset(&cap_hdr, cap_dat);
39: if (!err)
40: return 0;
41:
42: /* Kernel may support do not support our version of capability interface.
43: The last call returned supported version so we just retry it. */
44: if (errno == EINVAL)
45: {
46: err = capset(&cap_hdr, cap_dat);
47: if (!err)
48: return 0;
49: }
50:
51: return -1;
52: }
53:
54: static void
55: drop_uid(uid_t uid)
56: {
57: u32 caps =
58: CAP_TO_MASK(CAP_NET_BIND_SERVICE) |
59: CAP_TO_MASK(CAP_NET_BROADCAST) |
60: CAP_TO_MASK(CAP_NET_ADMIN) |
61: CAP_TO_MASK(CAP_NET_RAW);
62:
63: /* change effective user ID to be able to switch to that
64: user ID completely after dropping CAP_SETUID */
65: if (seteuid(uid) < 0)
66: die("seteuid: %m");
67:
68: /* restrict the capabilities */
69: if (set_capabilities(caps) < 0)
70: die("capset: %m");
71:
72: /* keep the capabilities after dropping root ID */
73: if (prctl(PR_SET_KEEPCAPS, 1) < 0)
74: die("prctl: %m");
75:
76: /* completely switch to the unprivileged user ID */
77: if (setresuid(uid, uid, uid) < 0)
78: die("setresuid: %m");
79: }
80:
81: #endif /* _BIRD_SYSPRIV_H_ */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to syspriv.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / bird2 / sysdep / linux