pve-lxc-syscalld/src/capability.rs

use std::io;
use std::os::raw::c_ulong;

bitflags::bitflags! {
    pub struct SecureBits: c_ulong {
        const NOROOT                        = 0b0_0000_0001;
        const NOROOT_LOCKED                 = 0b0_0000_0010;
        const NO_SETUID_FIXUP               = 0b0_0000_0100;
        const NO_SETUID_FIXUP_LOCKED        = 0b0_0000_1000;
        const KEEP_CAPS                     = 0b0_0001_0000;
        const KEEP_CAPS_LOCKED              = 0b0_0010_0000;
        const NO_CAP_AMBIENT_RAISE          = 0b0_0100_0000;
        const NO_CAP_AMBIENT_RAISE_LOCKED   = 0b0_1000_0000;

        const ALL_BITS                      = 0b0_0101_0101;
        const ALL_LOCKS                     = 0b0_1010_1010;
    }
}

impl SecureBits {
    pub fn apply(self) -> io::Result<()> {
        c_call!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?;
        Ok(())
    }

    pub fn get_current() -> io::Result<Self> {
        let bits = c_call!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?;
        Self::from_bits(bits as _)
            .ok_or_else(|| io_format_err!("prctl() returned unknown securebits"))
    }
}
set SECBIT_KEEP_CAPS That's the one we actually want instead of PR_SET_KEEPCAPS Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-07-15 09:05:58 +02:00			`use std::io;`
			`use std::os::raw::c_ulong;`

			`bitflags::bitflags! {`
			`pub struct SecureBits: c_ulong {`
clippy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-03 12:45:29 +02:00			`const NOROOT = 0b0_0000_0001;`
			`const NOROOT_LOCKED = 0b0_0000_0010;`
			`const NO_SETUID_FIXUP = 0b0_0000_0100;`
			`const NO_SETUID_FIXUP_LOCKED = 0b0_0000_1000;`
			`const KEEP_CAPS = 0b0_0001_0000;`
			`const KEEP_CAPS_LOCKED = 0b0_0010_0000;`
			`const NO_CAP_AMBIENT_RAISE = 0b0_0100_0000;`
			`const NO_CAP_AMBIENT_RAISE_LOCKED = 0b0_1000_0000;`
set SECBIT_KEEP_CAPS That's the one we actually want instead of PR_SET_KEEPCAPS Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-07-15 09:05:58 +02:00
clippy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-03 12:45:29 +02:00			`const ALL_BITS = 0b0_0101_0101;`
			`const ALL_LOCKS = 0b0_1010_1010;`
set SECBIT_KEEP_CAPS That's the one we actually want instead of PR_SET_KEEPCAPS Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-07-15 09:05:58 +02:00			`}`
			`}`

			`impl SecureBits {`
clippy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-04 09:46:31 +02:00			`pub fn apply(self) -> io::Result<()> {`
set SECBIT_KEEP_CAPS That's the one we actually want instead of PR_SET_KEEPCAPS Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-07-15 09:05:58 +02:00			`c_call!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?;`
			`Ok(())`
			`}`

			`pub fn get_current() -> io::Result<Self> {`
			`let bits = c_call!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?;`
			`Self::from_bits(bits as _)`
			`.ok_or_else(\|\| io_format_err!("prctl() returned unknown securebits"))`
			`}`
			`}`