woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

caps: refactor the code to make it readable for the --keep_caps case

Browse Source
This commit is contained in:
Robert Swiecki 2017-09-30 00:36:11 +02:00
parent d20aa424e0
commit 41e9ea52ba
1 changed files with 70 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
caps.c
View File

@ -164,7 +164,46 @@ static void capsSetInheritable(cap_user_data_t cap_data, unsigned int cap)
cap_data[off_byte].inheritable |= (1U << off_bit); cap_data[off_byte].inheritable |= (1U << off_bit);
} }
bool capsInitNs(struct nsjconf_t *nsjconf) #if !defined(PR_CAP_AMBIENT)
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_RAISE 2
#endif /* !defined(PR_CAP_AMBIENT) */
bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
{
char dbgmsg[4096];
dbgmsg[0] = '\0';
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
if (capsGetPermitted(cap_data, capNames[i].val) == true) {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
capsSetInheritable(cap_data, capNames[i].val);
}
}
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
if (capsSet(cap_data) == false) {
return false;
}
dbgmsg[0] = '\0';
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
if (capsGetPermitted(cap_data, capNames[i].val) == false) {
continue;
}
if (prctl
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)capNames[i].val, 0UL,
0UL) == -1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", capNames[i].name);
} else {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
}
}
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
return true;
}
bool capsInitNs(struct nsjconf_t * nsjconf)
{ {
cap_user_data_t cap_data = capsGet(); cap_user_data_t cap_data = capsGet();
if (cap_data == NULL) { if (cap_data == NULL) {
@ -172,17 +211,12 @@ bool capsInitNs(struct nsjconf_t *nsjconf)
} }
capsClearInheritable(cap_data); capsClearInheritable(cap_data);
if (nsjconf->keep_caps) {
return CapsInitNsKeepCaps(cap_data);
}
char dbgmsg[4096]; char dbgmsg[4096];
dbgmsg[0] = '\0'; dbgmsg[0] = '\0';
if (nsjconf->keep_caps) {
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
if (capsGetPermitted(cap_data, capNames[i].val) == true) {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
capsSetInheritable(cap_data, capNames[i].val);
}
}
} else {
struct ints_t *p; struct ints_t *p;
TAILQ_FOREACH(p, &nsjconf->caps, pointers) { TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (capsGetPermitted(cap_data, p->val) == false) { if (capsGetPermitted(cap_data, p->val) == false) {
@ -193,64 +227,35 @@ bool capsInitNs(struct nsjconf_t *nsjconf)
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val)); utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
capsSetInheritable(cap_data, p->val); capsSetInheritable(cap_data, p->val);
} }
}
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg); LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
dbgmsg[0] = '\0';
if (capsSet(cap_data) == false) { if (capsSet(cap_data) == false) {
return false; return false;
} }
#if !defined(PR_CAP_AMBIENT) dbgmsg[0] = '\0';
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_RAISE 2
#endif /* !defined(PR_CAP_AMBIENT) */
if (nsjconf->keep_caps) {
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
if (capsGetPermitted(cap_data, capNames[i].val) == false) {
continue;
}
if (prctl
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)capNames[i].val,
0UL, 0UL)
== -1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
capNames[i].name);
} else {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
}
}
} else {
struct ints_t *p;
TAILQ_FOREACH(p, &nsjconf->caps, pointers) { TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
0UL) -1) {
== -1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
capsValToStr(p->val)); capsValToStr(p->val));
} else { } else {
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val)); utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
} }
} }
}
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg); LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
dbgmsg[0] = '\0';
if (nsjconf->keep_caps == false) { dbgmsg[0] = '\0';
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) { for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
if (capsGetInheritable(cap_data, capNames[i].val) == true) { if (capsGetInheritable(cap_data, capNames[i].val) == true) {
continue; continue;
} }
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name); utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) == if (prctl(PR_CAPBSET_DROP, (unsigned long)capNames[i].val, 0UL, 0UL, 0UL) == -1) {
-1) {
PLOG_W("prctl(PR_CAPBSET_DROP, %s)", capNames[i].name); PLOG_W("prctl(PR_CAPBSET_DROP, %s)", capNames[i].name);
return false; return false;
} }
} }
LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg); LOG_D("Dropped the following capabilities from the bounding set:%s", dbgmsg);
dbgmsg[0] = '\0';
}
return true; return true;
} }