author | Brian Utterback <Brian.Utterback@Oracle.COM> |
Mon, 18 Jul 2011 12:08:25 -0700 | |
changeset 417 | 7c10b5cba79b |
permissions | -rw-r--r-- |
417
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
1 |
diff --git lib/privs.c lib/privs.c |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
2 |
index d290a59..d4dcdf2 100644 |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
3 |
--- lib/privs.c |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
4 |
+++ lib/privs.c |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
5 |
@@ -2,7 +2,7 @@ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
6 |
* Zebra privileges. |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
7 |
* |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
8 |
* Copyright (C) 2003 Paul Jakma. |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
9 |
- * Copyright (C) 2005 Sun Microsystems, Inc. |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
10 |
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
11 |
* |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
12 |
* This file is part of GNU Zebra. |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
13 |
* |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
14 |
@@ -351,6 +351,26 @@ zprivs_caps_terminate (void) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
15 |
* - http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1 |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
16 |
*/ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
17 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
18 |
+static pset_t * |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
19 |
+zprivs_caps_minimal () |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
20 |
+{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
21 |
+ pset_t *minimal; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
22 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
23 |
+ if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
24 |
+ { |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
25 |
+ fprintf (stderr, "%s: couldn't get basic set!\n", __func__); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
26 |
+ exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
27 |
+ } |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
28 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
29 |
+ /* create a minimal privilege set from the basic set */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
30 |
+ (void) priv_delset(minimal, PRIV_PROC_EXEC); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
31 |
+ (void) priv_delset(minimal, PRIV_PROC_INFO); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
32 |
+ (void) priv_delset(minimal, PRIV_PROC_SESSION); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
33 |
+ (void) priv_delset(minimal, PRIV_FILE_LINK_ANY); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
34 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
35 |
+ return minimal; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
36 |
+} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
37 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
38 |
/* convert zebras privileges to system capabilities */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
39 |
static pset_t * |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
40 |
zcaps2sys (zebra_capabilities_t *zcaps, int num) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
41 |
@@ -379,26 +399,34 @@ zcaps2sys (zebra_capabilities_t *zcaps, int num) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
42 |
int |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
43 |
zprivs_change_caps (zebra_privs_ops_t op) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
44 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
45 |
+ pset_t *privset; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
46 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
47 |
/* should be no possibility of being called without valid caps */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
48 |
assert (zprivs_state.syscaps_p); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
49 |
if (!zprivs_state.syscaps_p) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
50 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
51 |
+ fprintf (stderr, "%s: Eek, missing privileged caps!", __func__); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
52 |
+ exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
53 |
+ } |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
54 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
55 |
+ assert (zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
56 |
+ if (!zprivs_state.caps) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
57 |
+ { |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
58 |
fprintf (stderr, "%s: Eek, missing caps!", __func__); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
59 |
exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
60 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
61 |
- |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
62 |
- /* to raise: copy original permitted into our working effective set |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
63 |
- * to lower: just clear the working effective set |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
64 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
65 |
+ /* to raise: copy original permitted as our working effective set |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
66 |
+ * to lower: copy regular effective set stored in zprivs_state.caps |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
67 |
*/ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
68 |
if (op == ZPRIVS_RAISE) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
69 |
- priv_copyset (zprivs_state.syscaps_p, zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
70 |
+ privset = zprivs_state.syscaps_p; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
71 |
else if (op == ZPRIVS_LOWER) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
72 |
- priv_emptyset (zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
73 |
+ privset = zprivs_state.caps; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
74 |
else |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
75 |
return -1; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
76 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
77 |
- if (setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps) != 0) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
78 |
+ if (setppriv (PRIV_SET, PRIV_EFFECTIVE, privset) != 0) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
79 |
return -1; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
80 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
81 |
return 0; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
82 |
@@ -426,15 +454,15 @@ zprivs_state_caps (void) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
83 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
84 |
else |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
85 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
86 |
- if (priv_isemptyset (effective) == B_TRUE) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
87 |
+ if (priv_isequalset (effective, zprivs_state.syscaps_p)) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
88 |
+ result = ZPRIVS_RAISED; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
89 |
+ else if (priv_isequalset (effective, zprivs_state.caps)) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
90 |
result = ZPRIVS_LOWERED; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
91 |
else |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
92 |
- result = ZPRIVS_RAISED; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
93 |
+ result = ZPRIVS_UNKNOWN; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
94 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
95 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
96 |
- if (effective) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
97 |
- priv_freeset (effective); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
98 |
- |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
99 |
+ priv_freeset (effective); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
100 |
return result; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
101 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
102 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
103 |
@@ -442,7 +470,7 @@ static void |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
104 |
zprivs_caps_init (struct zebra_privs_t *zprivs) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
105 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
106 |
pset_t *basic; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
107 |
- pset_t *empty; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
108 |
+ pset_t *minimal; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
109 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
110 |
/* the specified sets */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
111 |
zprivs_state.syscaps_p = zcaps2sys (zprivs->caps_p, zprivs->cap_num_p); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
112 |
@@ -470,14 +498,6 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
113 |
priv_union (basic, zprivs_state.syscaps_p); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
114 |
priv_freeset (basic); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
115 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
116 |
- /* we need an empty set for 'effective', potentially for inheritable too */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
117 |
- if ( (empty = priv_allocset()) == NULL) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
118 |
- { |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
119 |
- fprintf (stderr, "%s: couldn't get empty set!\n", __func__); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
120 |
- exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
121 |
- } |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
122 |
- priv_emptyset (empty); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
123 |
- |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
124 |
/* Hey kernel, we know about privileges! |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
125 |
* this isn't strictly required, use of setppriv should have same effect |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
126 |
*/ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
127 |
@@ -520,16 +540,19 @@ zprivs_caps_init (struct zebra_privs_t *zprivs) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
128 |
exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
129 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
130 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
131 |
- /* now clear the effective set and we're ready to go */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
132 |
- if (setppriv (PRIV_SET, PRIV_EFFECTIVE, empty)) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
133 |
+ /* we need a minimal basic set for 'effective', potentially for inheritable too */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
134 |
+ minimal = zprivs_caps_minimal(); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
135 |
+ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
136 |
+ /* now set the effective set with a subset of basic privileges */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
137 |
+ if (setppriv (PRIV_SET, PRIV_EFFECTIVE, minimal)) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
138 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
139 |
fprintf (stderr, "%s: error setting effective set!, %s\n", __func__, |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
140 |
safe_strerror (errno) ); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
141 |
exit (1); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
142 |
} |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
143 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
144 |
- /* we'll use this as our working-storage privset */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
145 |
- zprivs_state.caps = empty; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
146 |
+ /* we'll use the minimal set as our working-storage privset */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
147 |
+ zprivs_state.caps = minimal; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
148 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
149 |
/* set methods for the caller to use */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
150 |
zprivs->change = zprivs_change_caps; |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
151 |
@@ -541,8 +564,7 @@ zprivs_caps_terminate (void) |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
152 |
{ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
153 |
assert (zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
154 |
|
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
155 |
- /* clear all capabilities */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
156 |
- priv_emptyset (zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
157 |
+ /* clear all capabilities by using working-storage privset */ |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
158 |
setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
159 |
setppriv (PRIV_SET, PRIV_PERMITTED, zprivs_state.caps); |
7c10b5cba79b
7066915 Move Quagga to Userland
Brian Utterback <Brian.Utterback@Oracle.COM>
parents:
diff
changeset
|
160 |
setppriv (PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps); |