*
*/
-#include "config-host.h"
-
-#include <stdio.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <ctype.h>
-#include <glib.h>
-
-#include <sys/types.h>
+#include "qemu/osdep.h"
+
+
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <linux/sockios.h>
-#include "qemu-queue.h"
+#ifndef SIOCBRADDIF
+#include <linux/if_bridge.h>
+#endif
+
+#include "qemu/queue.h"
#include "net/tap-linux.h"
+#ifdef CONFIG_LIBCAP
+#include <cap-ng.h>
+#endif
+
#define DEFAULT_ACL_FILE CONFIG_QEMU_CONFDIR "/bridge.conf"
enum {
return sendmsg(c, &msg, 0);
}
+#ifdef CONFIG_LIBCAP
+static int drop_privileges(void)
+{
+ /* clear all capabilities */
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ CAP_NET_ADMIN) < 0) {
+ return -1;
+ }
+
+ /* change to calling user's real uid and gid, retaining supplemental
+ * groups and CAP_NET_ADMIN */
+ if (capng_change_id(getuid(), getgid(), CAPNG_CLEAR_BOUNDING)) {
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
int main(int argc, char **argv)
{
struct ifreq ifr;
- int fd, ctlfd, unixfd = -1;
+#ifndef SIOCBRADDIF
+ unsigned long ifargs[4];
+#endif
+ int ifindex;
+ int fd = -1, ctlfd = -1, unixfd = -1;
int use_vnet = 0;
int mtu;
const char *bridge = NULL;
int access_allowed, access_denied;
int ret = EXIT_SUCCESS;
+#ifdef CONFIG_LIBCAP
+ /* if we're run from an suid binary, immediately drop privileges preserving
+ * cap_net_admin */
+ if (geteuid() == 0 && getuid() != geteuid()) {
+ if (drop_privileges() == -1) {
+ fprintf(stderr, "failed to drop privileges\n");
+ return 1;
+ }
+ }
+#endif
+
/* parse arguments */
for (index = 1; index < argc; index++) {
if (strcmp(argv[index], "--use-vnet") == 0) {
goto cleanup;
}
+ /* Linux uses the lowest enslaved MAC address as the MAC address of
+ * the bridge. Set MAC address to a high value so that it doesn't
+ * affect the MAC address of the bridge.
+ */
+ if (ioctl(ctlfd, SIOCGIFHWADDR, &ifr) < 0) {
+ fprintf(stderr, "failed to get MAC address of device `%s': %s\n",
+ iface, strerror(errno));
+ ret = EXIT_FAILURE;
+ goto cleanup;
+ }
+ ifr.ifr_hwaddr.sa_data[0] = 0xFE;
+ if (ioctl(ctlfd, SIOCSIFHWADDR, &ifr) < 0) {
+ fprintf(stderr, "failed to set MAC address of device `%s': %s\n",
+ iface, strerror(errno));
+ ret = EXIT_FAILURE;
+ goto cleanup;
+ }
+
/* add the interface to the bridge */
prep_ifreq(&ifr, bridge);
- ifr.ifr_ifindex = if_nametoindex(iface);
-
- if (ioctl(ctlfd, SIOCBRADDIF, &ifr) == -1) {
+ ifindex = if_nametoindex(iface);
+#ifndef SIOCBRADDIF
+ ifargs[0] = BRCTL_ADD_IF;
+ ifargs[1] = ifindex;
+ ifargs[2] = 0;
+ ifargs[3] = 0;
+ ifr.ifr_data = (void *)ifargs;
+ ret = ioctl(ctlfd, SIOCDEVPRIVATE, &ifr);
+#else
+ ifr.ifr_ifindex = ifindex;
+ ret = ioctl(ctlfd, SIOCBRADDIF, &ifr);
+#endif
+ if (ret == -1) {
fprintf(stderr, "failed to add interface `%s' to bridge `%s': %s\n",
iface, bridge, strerror(errno));
ret = EXIT_FAILURE;
/* profit! */
cleanup:
-
+ if (fd >= 0) {
+ close(fd);
+ }
+ if (ctlfd >= 0) {
+ close(ctlfd);
+ }
while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) {
QSIMPLEQ_REMOVE_HEAD(&acl_list, entry);
g_free(acl_rule);
projects / mirror_qemu.git / blobdiff