]>
Commit | Line | Data |
---|---|---|
738dbfbe | 1 | use std::io; |
3bbd1db0 | 2 | use std::os::raw::{c_int, c_ulong}; |
738dbfbe | 3 | |
738dbfbe WB |
4 | bitflags::bitflags! { |
5 | pub struct SecureBits: c_ulong { | |
bd05b957 WB |
6 | const NOROOT = 0b0_0000_0001; |
7 | const NOROOT_LOCKED = 0b0_0000_0010; | |
8 | const NO_SETUID_FIXUP = 0b0_0000_0100; | |
9 | const NO_SETUID_FIXUP_LOCKED = 0b0_0000_1000; | |
10 | const KEEP_CAPS = 0b0_0001_0000; | |
11 | const KEEP_CAPS_LOCKED = 0b0_0010_0000; | |
12 | const NO_CAP_AMBIENT_RAISE = 0b0_0100_0000; | |
13 | const NO_CAP_AMBIENT_RAISE_LOCKED = 0b0_1000_0000; | |
738dbfbe | 14 | |
bd05b957 WB |
15 | const ALL_BITS = 0b0_0101_0101; |
16 | const ALL_LOCKS = 0b0_1010_1010; | |
738dbfbe WB |
17 | } |
18 | } | |
19 | ||
20 | impl SecureBits { | |
baedb4ca | 21 | pub fn apply(self) -> io::Result<()> { |
a18b03f3 | 22 | c_result!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?; |
738dbfbe WB |
23 | Ok(()) |
24 | } | |
25 | ||
26 | pub fn get_current() -> io::Result<Self> { | |
a18b03f3 | 27 | let bits = c_result!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?; |
738dbfbe WB |
28 | Self::from_bits(bits as _) |
29 | .ok_or_else(|| io_format_err!("prctl() returned unknown securebits")) | |
30 | } | |
31 | } | |
3bbd1db0 WB |
32 | |
33 | #[derive(Clone, Default)] | |
34 | pub struct Capabilities { | |
35 | pub inheritable: u64, | |
36 | pub permitted: u64, | |
37 | pub effective: u64, | |
38 | //bounding: u64, // we don't care currently | |
39 | } | |
40 | ||
41 | // Too lazy to bindgen libcap stuff... | |
42 | const CAPABILITY_VERSION_3: u32 = 0x2008_0522; | |
43 | ||
44 | /// Represents process capabilities. | |
45 | /// | |
46 | /// This can be used to change the process' capability sets (if permitted by the kernel). | |
47 | impl Capabilities { | |
48 | // We currently don't implement capget as it takes a pid which is racy on kernels without pidfd | |
49 | // support. Later on we might support a `capget(&PidFd)` method? | |
50 | ||
51 | /// Change our process capabilities. This does not include the bounding set. | |
52 | pub fn capset(&self) -> io::Result<()> { | |
3bbd1db0 | 53 | // kernel abi: |
5bd0c562 | 54 | #[allow(dead_code)] |
3bbd1db0 WB |
55 | struct Header { |
56 | version: u32, | |
57 | pid: c_int, | |
58 | } | |
59 | ||
5bd0c562 | 60 | #[allow(dead_code)] |
3bbd1db0 WB |
61 | struct Data { |
62 | effective: u32, | |
63 | permitted: u32, | |
64 | inheritable: u32, | |
65 | } | |
66 | ||
67 | let header = Header { | |
68 | version: CAPABILITY_VERSION_3, | |
69 | pid: 0, // equivalent to gettid(), | |
70 | }; | |
71 | ||
72 | let data = [ | |
73 | Data { | |
74 | effective: self.effective as u32, | |
75 | permitted: self.permitted as u32, | |
76 | inheritable: self.inheritable as u32, | |
77 | }, | |
78 | Data { | |
79 | effective: (self.effective >> 32) as u32, | |
80 | permitted: (self.permitted >> 32) as u32, | |
81 | inheritable: (self.inheritable >> 32) as u32, | |
82 | }, | |
83 | ]; | |
84 | ||
85 | c_try!(unsafe { libc::syscall(libc::SYS_capset, &header, &data) }); | |
86 | ||
87 | Ok(()) | |
88 | } | |
89 | } |