File: ink_cap.cc

package info (click to toggle)
trafficserver 3.0.5-1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 17,428 kB
  • sloc: cpp: 222,273; sh: 12,193; ansic: 8,967; makefile: 1,809; perl: 1,158; java: 277; lex: 124; yacc: 63; sed: 6
file content (88 lines) | stat: -rw-r--r-- 2,417 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
/** @file

    A brief file description

    @section license License

    Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
*/

# include "ink_config.h"
# include "Diags.h"
# include "ink_cap.h"

# if TS_USE_POSIX_CAP
#   include <sys/capability.h>
#   include <sys/prctl.h>
# endif

void
DebugCapabilities(char const* tag) {
  if (is_debug_tag_set(tag)) {
#   if TS_USE_POSIX_CAP
      cap_t caps = cap_get_proc();
      char* caps_text = cap_to_text(caps, 0);
#   endif

    Debug(tag,
      "uid=%u, gid=%u, euid=%u, egid=%u"
#     if TS_USE_POSIX_CAP
        ", caps %s thread 0x%x"
#     endif
      ,static_cast<unsigned int>(getuid())
      ,static_cast<unsigned int>(getgid())
      ,static_cast<unsigned int>(geteuid())
      ,static_cast<unsigned int>(getegid())
#     if TS_USE_POSIX_CAP
        ,caps_text
        ,pthread_self()
#     endif
    );

#   if TS_USE_POSIX_CAP
      cap_free(caps_text);
      cap_free(caps);
#   endif
  }
}

int
PreserveCapabilities() {
  int zret = 0;
# if TS_USE_POSIX_CAP
    zret = prctl(PR_SET_KEEPCAPS, 1);
# endif
  return zret;
}

// Adjust the capabilities to only those needed.
int
RestrictCapabilities() {
  int zret = 0; // return value.
# if TS_USE_POSIX_CAP
    cap_t caps = cap_init(); // start with nothing.
    // Capabilities we need.
    cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_IPC_LOCK };
    static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);

    cap_set_flag(caps, CAP_PERMITTED, CAP_COUNT, cap_list, CAP_SET);
    cap_set_flag(caps, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
    zret = cap_set_proc(caps);
    cap_free(caps);
#  endif
  return zret;
}