]>
git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/caps.c
2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
32 #include <sys/prctl.h>
37 lxc_log_define(lxc_caps
, lxc
);
41 #ifndef PR_CAPBSET_READ
42 #define PR_CAPBSET_READ 23
45 /* Control the ambient capability set */
46 #ifndef PR_CAP_AMBIENT
47 #define PR_CAP_AMBIENT 47
50 #ifndef PR_CAP_AMBIENT_IS_SET
51 #define PR_CAP_AMBIENT_IS_SET 1
54 #ifndef PR_CAP_AMBIENT_RAISE
55 #define PR_CAP_AMBIENT_RAISE 2
58 #ifndef PR_CAP_AMBIENT_LOWER
59 #define PR_CAP_AMBIENT_LOWER 3
62 #ifndef PR_CAP_AMBIENT_CLEAR_ALL
63 #define PR_CAP_AMBIENT_CLEAR_ALL 4
66 int lxc_caps_down(void)
71 /* when we are run as root, we don't want to play
72 * with the capabilities */
76 caps
= cap_get_proc();
78 SYSERROR("Failed to cap_get_proc");
82 ret
= cap_clear_flag(caps
, CAP_EFFECTIVE
);
84 SYSERROR("Failed to cap_clear_flag");
88 ret
= cap_set_proc(caps
);
90 SYSERROR("Failed to cap_set_proc");
105 /* when we are run as root, we don't want to play
106 * with the capabilities */
110 caps
= cap_get_proc();
112 SYSERROR("Failed to cap_get_proc");
116 for (cap
= 0; cap
<= CAP_LAST_CAP
; cap
++) {
118 cap_flag_value_t flag
;
120 ret
= cap_get_flag(caps
, cap
, CAP_PERMITTED
, &flag
);
122 if (errno
== EINVAL
) {
123 INFO("Last supported cap was %d", cap
-1);
126 SYSERROR("Failed to cap_get_flag");
131 ret
= cap_set_flag(caps
, CAP_EFFECTIVE
, 1, &cap
, flag
);
133 SYSERROR("Failed to cap_set_flag");
138 ret
= cap_set_proc(caps
);
140 SYSERROR("Failed to cap_set_proc");
149 int lxc_ambient_caps_up(void)
154 int last_cap
= CAP_LAST_CAP
;
155 char *cap_names
= NULL
;
157 /* When we are run as root, we don't want to play with the capabilities. */
161 caps
= cap_get_proc();
163 SYSERROR("Failed to retrieve capabilities");
167 for (cap
= 0; cap
<= CAP_LAST_CAP
; cap
++) {
168 cap_flag_value_t flag
;
170 ret
= cap_get_flag(caps
, cap
, CAP_PERMITTED
, &flag
);
172 if (errno
== EINVAL
) {
173 last_cap
= (cap
- 1);
174 INFO("Last supported cap was %d", last_cap
);
178 SYSERROR("Failed to retrieve capability flag");
182 ret
= cap_set_flag(caps
, CAP_INHERITABLE
, 1, &cap
, flag
);
184 SYSERROR("Failed to set capability flag");
189 ret
= cap_set_proc(caps
);
191 SYSERROR("Failed to set capabilities");
195 for (cap
= 0; cap
<= last_cap
; cap
++) {
196 ret
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_RAISE
, cap
, 0, 0);
198 SYSWARN("Failed to raise ambient capability %d", cap
);
203 cap_names
= cap_to_text(caps
, NULL
);
207 TRACE("Raised %s in inheritable and ambient capability set", cap_names
);
216 int lxc_ambient_caps_down(void)
222 /* When we are run as root, we don't want to play with the capabilities. */
226 ret
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_CLEAR_ALL
, 0, 0, 0);
228 SYSERROR("Failed to clear ambient capability set");
232 caps
= cap_get_proc();
234 SYSERROR("Failed to retrieve capabilities");
238 for (cap
= 0; cap
<= CAP_LAST_CAP
; cap
++) {
239 ret
= cap_set_flag(caps
, CAP_INHERITABLE
, 1, &cap
, CAP_CLEAR
);
241 SYSERROR("Failed to remove capability from inheritable set");
246 ret
= cap_set_proc(caps
);
248 SYSERROR("Failed to set capabilities");
257 int lxc_caps_init(void)
259 uid_t uid
= getuid();
260 gid_t gid
= getgid();
261 uid_t euid
= geteuid();
264 INFO("command is run as 'root'");
269 INFO("command is run as setuid root (uid : %d)", uid
);
271 if (prctl(PR_SET_KEEPCAPS
, 1)) {
272 SYSERROR("Failed to 'PR_SET_KEEPCAPS'");
276 if (setresgid(gid
, gid
, gid
)) {
277 SYSERROR("Failed to change gid to '%d'", gid
);
281 if (setresuid(uid
, uid
, uid
)) {
282 SYSERROR("Failed to change uid to '%d'", uid
);
287 SYSERROR("Failed to restore capabilities");
293 INFO("command is run as user '%d'", uid
);
298 static int _real_caps_last_cap(void)
303 /* try to get the maximum capability over the kernel
304 * interface introduced in v3.2 */
305 fd
= open("/proc/sys/kernel/cap_last_cap", O_RDONLY
);
311 if ((n
= read(fd
, buf
, 31)) >= 0) {
314 result
= strtol(buf
, &ptr
, 10);
315 if (!ptr
|| (*ptr
!= '\0' && *ptr
!= '\n') || errno
!= 0)
322 /* try to get it manually by trying to get the status of
323 * each capability indiviually from the kernel */
326 while (prctl(PR_CAPBSET_READ
, cap
) >= 0) cap
++;
333 int lxc_caps_last_cap(void)
335 static int last_cap
= -1;
336 if (last_cap
< 0) last_cap
= _real_caps_last_cap();
341 static bool lxc_cap_is_set(cap_t caps
, cap_value_t cap
, cap_flag_t flag
)
344 cap_flag_value_t flagval
;
346 ret
= cap_get_flag(caps
, cap
, flag
, &flagval
);
348 SYSERROR("Failed to perform cap_get_flag()");
352 return flagval
== CAP_SET
;
355 bool lxc_file_cap_is_set(const char *path
, cap_value_t cap
, cap_flag_t flag
)
357 #if LIBCAP_SUPPORTS_FILE_CAPABILITIES
361 caps
= cap_get_file(path
);
363 /* This is undocumented in the manpage but the source code show
364 * that cap_get_file() may return NULL when successful for the
365 * case where it didn't detect any file capabilities. In this
366 * case errno will be set to ENODATA.
368 if (errno
!= ENODATA
)
369 SYSERROR("Failed to perform cap_get_file()");
374 cap_is_set
= lxc_cap_is_set(caps
, cap
, flag
);
383 bool lxc_proc_cap_is_set(cap_value_t cap
, cap_flag_t flag
)
388 caps
= cap_get_proc();
390 SYSERROR("Failed to perform cap_get_proc()");
394 cap_is_set
= lxc_cap_is_set(caps
, cap
, flag
);