Implemented basic subset of capabilities.

Children inherit nothing. refs #1556

Implemented basic subset of capabilities.
ce37868c · Marek Vavrusa · d37a29e9 · ce37868c · ce37868c
Commit ce37868c authored 13 years ago by Marek Vavrusa
--- a/configure.ac
+++ b/configure.ac
@@ -113,11 +113,12 @@ AC_SEARCH_LIBS([rcu_set_pointer_sym], [urcu], [], [AC_MSG_ERROR([liburcu not fou
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_SEARCH_LIBS([clock_gettime], [rt], [], [AC_MSG_ERROR([librt not found])])
 AC_SEARCH_LIBS([OpenSSL_add_all_digests], [crypto],[], [AC_MSG_ERROR([libcrypto not found])])
+AC_SEARCH_LIBS([cap_set_flag], [cap])
 #AC_SEARCH_LIBS([ldns_rr_list_pop_rrset], [ldns], [], [AC_MSG_ERROR([libldns not found])])

 # Checks for header files.
 AC_HEADER_RESOLV
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h malloc.h netdb.h netinet/in_systm.h netinet/in.h stdint.h stdlib.h string.h strings.h sys/socket.h sys/time.h syslog.h unistd.h urcu.h ev.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h malloc.h netdb.h netinet/in_systm.h netinet/in.h stdint.h stdlib.h string.h strings.h sys/socket.h sys/time.h sys/capability.h syslog.h unistd.h urcu.h ev.h])

 # Checks for typedefs, structures, and compiler characteristics.
 AC_HEADER_STDBOOL

--- a/src/knot/main.c
+++ b/src/knot/main.c
@@ -19,6 +19,9 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <getopt.h>
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
 #include "common.h"

 #include "knot/common.h"
@@ -58,6 +61,13 @@ void interrupt_handle(int s)
 	}
 }

+#ifdef HAVE_SYS_CAPABILITY_H
+static int cap_set_pe(cap_t caps, cap_value_t cp) {
+	return cap_set_flag(caps, CAP_EFFECTIVE, 1, &cp, CAP_SET)
+	       + cap_set_flag(caps, CAP_PERMITTED, 1, &cp, CAP_SET);
+}
+#endif
+
 void help(int argc, char **argv)
 {
 	printf("Usage: %sd [parameters]\n",
@@ -196,6 +206,26 @@ int main(int argc, char **argv)
 				conf()->ifaces_count, conf()->zones_count);
 	}
 	log_server_info("\n");
+	
+	/* Linux capabilities. */
+#ifdef HAVE_SYS_CAPABILITY_H
+	cap_t caps = cap_init();
+	if (caps != NULL) {
+		/* Allow binding to privileged ports.
+		 * (Not inheritable)
+		 */
+		cap_set_pe(caps, CAP_NET_BIND_SERVICE);
+		/* Allow setuid/setgid. */
+		cap_set_pe(caps, CAP_SETUID);
+		cap_set_pe(caps, CAP_SETGID);
+		/*! \todo Config file read? DAC_OVERRIDE ? */
+		/* Allow priorities changing. */
+		cap_set_pe(caps, CAP_SYS_NICE);
+		/* Inherit nothing. */
+	} else {
+		log_server_error("Couldn't initialize Linux capabilities.\n");
+	}
+#endif

 	// Create server instance
 	char* pidfile = pid_filename();