diff --git a/Knot.files b/Knot.files
index f364dccaad656272b557db1cdb163ad30c457fdd..eb6887ba443de6dcc67a5ef27116cd9cd836aba3 100644
--- a/Knot.files
+++ b/Knot.files
@@ -73,6 +73,8 @@ src/common/slab/alloc-common.h
src/common/libtap/tap.c
src/common/libtap/tap.h
src/common/libtap/tap_unit.h
+src/common/caps.h
+src/common/caps.c
src/common/lists.h
src/common/lists.c
src/common/base32.h
diff --git a/configure.ac b/configure.ac
index 1832ffb0d08e97466eed13d30ef5fea3829f9e76..eccd82f4e09128fd02b9b7b2d720d7a9d055b0a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -138,7 +138,7 @@ AC_DEFINE([DSFMT_MEXP], [521], [DSFMT parameters.])
# Checks for library functions.
AC_FUNC_FORK
AC_FUNC_MMAP
-AC_CHECK_FUNCS([gethostbyname gettimeofday memmove memset munmap regcomp pselect select socket sqrt strcasecmp strchr strdup strerror strncasecmp strtol strtoul poll epoll_wait kqueue setgroups])
+AC_CHECK_FUNCS([gethostbyname gettimeofday memmove memset munmap regcomp pselect select socket sqrt strcasecmp strchr strdup strerror strncasecmp strtol strtoul poll epoll_wait kqueue setgroups gettid])
AC_CONFIG_FILES([Makefile
samples/Makefile
diff --git a/src/Makefile.am b/src/Makefile.am
index e73b2bfb4d020fc6dfed9b58f3b2e70ed7496dc8..b50c33afa6830988b0dd982d9bf6a19f2b427551 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -223,6 +223,8 @@ libknots_la_SOURCES = \
common/libtap/tap.c \
common/libtap/tap.h \
common/libtap/tap_unit.h \
+ common/caps.c \
+ common/caps.h \
common/lists.c \
common/base32.c \
common/lists.h \
diff --git a/src/common/caps.c b/src/common/caps.c
new file mode 100644
index 0000000000000000000000000000000000000000..22fb273be5663a7df0cb6b685d33fc9122df13b8
--- /dev/null
+++ b/src/common/caps.c
@@ -0,0 +1,32 @@
+/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "caps.h"
+
+int cap_drop_all() {
+#ifdef USE_CAPABILITIES
+ cap_t caps = cap_init();
+ if (caps == NULL) {
+ return -1;
+ }
+ int ret = cap_apply(caps);
+ cap_free(caps);
+ return ret;
+#else
+ return -1;
+#endif
+}
+
diff --git a/src/common/caps.h b/src/common/caps.h
new file mode 100644
index 0000000000000000000000000000000000000000..657390a74206f0e07e804168b738480982b2151b
--- /dev/null
+++ b/src/common/caps.h
@@ -0,0 +1,100 @@
+/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*!
+ * \file caps.h
+ *
+ * \author Marek Vavrusa <marek.vavrusa@nic.cz>
+ *
+ * \brief POSIX 1003.1e capabilities interface.
+ *
+ * \addtogroup common_lib
+ * @{
+ */
+
+#ifndef _KNOTD_CAPS_H_
+#define _KNOTD_CAPS_H_
+
+#include <unistd.h>
+#include <config.h>
+
+/* Include required types. */
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+
+/* Check gettid(). */
+#ifndef HAVE_GETTID
+#include <sys/syscall.h>
+static pid_t gettid() {
+#ifdef SYS_gettid
+ return (pid_t)syscall(SYS_gettid);
+#define HAVE_GETTID 1
+#else
+ return (pid_t)0;
+#endif
+}
+#endif
+#else
+/* Stub types. */
+typedef void* cap_t;
+typedef int cap_value_t;
+typedef int cap_flag_value_t;
+#endif
+
+/* Summarize. */
+#ifdef HAVE_SYS_CAPABILITY_H
+#ifdef HAVE_GETTID
+#define USE_CAPABILITIES
+#endif
+#endif
+
+/*!
+ * \brief Set Permitted & Effective flag.
+ * \param caps Capabilities context.
+ * \param cp Flag to be set.
+ * \retval 0 if success.
+ * \retval -1 on error.
+ */
+static inline int cap_set_pe(cap_t caps, cap_value_t cp) {
+#ifdef USE_CAPABILITIES
+ return cap_set_flag(caps, CAP_EFFECTIVE, 1, &cp, CAP_SET) +
+ cap_set_flag(caps, CAP_PERMITTED, 1, &cp, CAP_SET);
+#else
+ return -1;
+#endif
+}
+
+/*!
+ * \brief Apply privileges.
+ * \param caps Capabilities context.
+ * \retval 0 if success.
+ * \retval -1 on error.
+ */
+static inline int cap_apply(cap_t caps) {
+#ifdef USE_CAPABILITIES
+ return capsetp(gettid(), caps);
+#else
+ return -1;
+#endif
+}
+
+/*!
+ * \brief Drop all capabilities.
+ * \retval 0 if success.
+ * \retval -1 on error.
+ */
+int cap_drop_all();
+
+#endif //_KNOTD_CAPS_H_
diff --git a/src/knot/main.c b/src/knot/main.c
index 95c4b51dad9f157f0e0b5fb36371334226b1c7ff..27cbb27c3a244a4c71997033a1a5ef51dd0f81f9 100644
--- a/src/knot/main.c
+++ b/src/knot/main.c
@@ -19,18 +19,16 @@
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
-#ifdef HAVE_SYS_CAPABILITY_H
-#include <sys/capability.h>
-#endif
#include "common.h"
+#include "common/evqueue.h"
+#include "common/caps.h"
#include "knot/common.h"
#include "knot/other/error.h"
#include "knot/server/server.h"
#include "knot/ctl/process.h"
#include "knot/conf/conf.h"
#include "knot/conf/logconf.h"
-#include "common/evqueue.h"
#include "knot/server/zones.h"
/*----------------------------------------------------------------------------*/
@@ -61,13 +59,6 @@ void interrupt_handle(int s)
}
}
-#ifdef HAVE_SYS_CAPABILITY_H
-static int cap_set_pe(cap_t caps, cap_value_t cp) {
- return cap_set_flag(caps, CAP_EFFECTIVE, 1, &cp, CAP_SET)
- + cap_set_flag(caps, CAP_PERMITTED, 1, &cp, CAP_SET);
-}
-#endif
-
void help(int argc, char **argv)
{
printf("Usage: %sd [parameters]\n",
@@ -193,31 +184,33 @@ int main(int argc, char **argv)
}
/* Linux capabilities. */
-#ifdef HAVE_SYS_CAPABILITY_H
+#ifdef USE_CAPABILITIES
cap_t caps = cap_get_proc();
if (caps != NULL) {
/* Read current and clear. */
cap_flag_value_t set_caps = CAP_CLEAR;
cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &set_caps);
cap_clear(caps);
+
+ /* Retain ability to set capabilities. */
+ cap_set_pe(caps, CAP_SETPCAP);
/* Allow binding to privileged ports.
* (Not inheritable)
- */
+ */
cap_set_pe(caps, CAP_NET_BIND_SERVICE);
/* Allow setuid/setgid. */
cap_set_pe(caps, CAP_SETUID);
cap_set_pe(caps, CAP_SETGID);
- cap_set_pe(caps, CAP_SETPCAP);
- /*! \todo Config file read? DAC_OVERRIDE ? */
+
/* Allow priorities changing. */
cap_set_pe(caps, CAP_SYS_NICE);
- /* Inherit nothing. */
+
/* Apply */
int caps_res = 0;
if (set_caps == CAP_SET) {
- caps_res = cap_set_proc(caps);
+ caps_res = cap_apply(caps);
} else {
log_server_info("User uid=%d is not allowed to set "
"capabilities, skipping.\n", getuid());
diff --git a/src/knot/server/dthreads.c b/src/knot/server/dthreads.c
index 9d1e69d89db0e55c2f1a2ad6c7241444a6891f63..3ddf4593601e0114bfeba979427550bcde86b485 100644
--- a/src/knot/server/dthreads.c
+++ b/src/knot/server/dthreads.c
@@ -26,6 +26,7 @@
#include "knot/server/dthreads.h"
#include "knot/other/log.h"
#include "knot/other/error.h"
+#include "common/caps.h"
/*! \brief Lock thread state for R/W. */
static inline void lock_thread_rw(dthread_t *thread)
@@ -123,6 +124,9 @@ static void *thread_ep(void *data)
pthread_sigmask(SIG_BLOCK, &ignset, 0); /*! \todo Review under BSD. */
dbg_dt("dthreads: [%p] entered ep\n", thread);
+
+ // Drop capabilities
+ cap_drop_all();
// Run loop
for (;;) {