systemd/src/shared/capability.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <inttypes.h>
#include <stdbool.h>
#include <sys/capability.h>

#include "util.h"

unsigned long cap_last_cap(void);
int have_effective_cap(int value);
int capability_bounding_set_drop(uint64_t drop, bool right_now);
int capability_bounding_set_drop_usermode(uint64_t drop);

int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites);

DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free);
#define _cleanup_cap_free_ _cleanup_(cap_freep)

static inline void cap_free_charpp(char **p) {
        if (*p)
                cap_free(*p);
}
#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp)
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00			`/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/`

use #pragma once instead of foo*foo define guards 2013-11-18 19:58:43 +04:00			`#pragma once`
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00
			`/***`
			`This file is part of systemd.`

util: move all to shared/ and split external dependencies in separate internal libraries Before: $ ldd /lib/systemd/systemd-timestamp linux-vdso.so.1 => (0x00007fffb05ff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f90aac57000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f90aaa53000) librt.so.1 => /lib64/librt.so.1 (0x00007f90aa84a000) libc.so.6 => /lib64/libc.so.6 (0x00007f90aa494000) /lib64/ld-linux-x86-64.so.2 (0x00007f90aae90000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f90aa290000) libattr.so.1 => /lib64/libattr.so.1 (0x00007f90aa08a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f90a9e6e000) After: $ ldd systemd-timestamp linux-vdso.so.1 => (0x00007fff3cbff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5eaa1c3000) librt.so.1 => /lib64/librt.so.1 (0x00007f5ea9fbb000) libc.so.6 => /lib64/libc.so.6 (0x00007f5ea9c04000) /lib64/ld-linux-x86-64.so.2 (0x00007f5eaa3fc000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f5ea9a00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5ea97e4000) 2012-04-10 15:39:02 +04:00			`Copyright 2010 Lennart Poettering`
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00
			`systemd is free software; you can redistribute it and/or modify it`
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`under the terms of the GNU Lesser General Public License as published by`
			`the Free Software Foundation; either version 2.1 of the License, or`
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00			`(at your option) any later version.`

			`systemd is distributed in the hope that it will be useful, but`
			`WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`Lesser General Public License for more details.`
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`You should have received a copy of the GNU Lesser General Public License`
conf: enforce UTF8 validty everywhere we need to make sure that configuration data we expose via the bus ends up in using getting an assert(). Even though configuration data is only parsed from trusted sources we should be more careful with what we read. 2012-03-13 01:22:16 +04:00			`along with systemd; If not, see <http://www.gnu.org/licenses/>.`
			`***/`

main: add configuration option to alter capability bounding set for PID 1 This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway. 2012-05-24 06:00:56 +04:00			`#include <inttypes.h>`
			`#include <stdbool.h>`
Introduce cleanup functions for cap_free Unfortunately a different cleanup function is necessary per type, because cap_t and char are incompatible with void**. 2014-01-01 07:35:54 +04:00			`#include <sys/capability.h>`

			`#include "util.h"`
main: add configuration option to alter capability bounding set for PID 1 This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway. 2012-05-24 06:00:56 +04:00
util: move all to shared/ and split external dependencies in separate internal libraries Before: $ ldd /lib/systemd/systemd-timestamp linux-vdso.so.1 => (0x00007fffb05ff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f90aac57000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f90aaa53000) librt.so.1 => /lib64/librt.so.1 (0x00007f90aa84a000) libc.so.6 => /lib64/libc.so.6 (0x00007f90aa494000) /lib64/ld-linux-x86-64.so.2 (0x00007f90aae90000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f90aa290000) libattr.so.1 => /lib64/libattr.so.1 (0x00007f90aa08a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f90a9e6e000) After: $ ldd systemd-timestamp linux-vdso.so.1 => (0x00007fff3cbff000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5eaa1c3000) librt.so.1 => /lib64/librt.so.1 (0x00007f5ea9fbb000) libc.so.6 => /lib64/libc.so.6 (0x00007f5ea9c04000) /lib64/ld-linux-x86-64.so.2 (0x00007f5eaa3fc000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f5ea9a00000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5ea97e4000) 2012-04-10 15:39:02 +04:00			`unsigned long cap_last_cap(void);`
			`int have_effective_cap(int value);`
capabilities: when dropping capabilities system-wide also drop them from usermode helpers This hooks things up with /proc/sys/kernel/usermodehelper/bset and /proc/sys/kernel/usermodehelper/inheritable. 2012-05-30 01:33:38 +04:00			`int capability_bounding_set_drop(uint64_t drop, bool right_now);`
			`int capability_bounding_set_drop_usermode(uint64_t drop);`
Introduce cleanup functions for cap_free Unfortunately a different cleanup function is necessary per type, because cap_t and char are incompatible with void**. 2014-01-01 07:35:54 +04:00
timesyncd: split privilege dropping code out of timesyncd so that we can make use of it from other daemons too This is preparation to make networkd work as unpriviliged user. 2014-06-01 10:49:33 +04:00			`int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilites);`

Introduce cleanup functions for cap_free Unfortunately a different cleanup function is necessary per type, because cap_t and char are incompatible with void**. 2014-01-01 07:35:54 +04:00			`DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free);`
			`#define _cleanup_cap_free_ _cleanup_(cap_freep)`

			`static inline void cap_free_charpp(char **p) {`
			`if (*p)`
			`cap_free(*p);`
			`}`
			`#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp)`