From 5eddf13b73a01f3b334e5be80fc3cc1b312d1fea Mon Sep 17 00:00:00 2001 From: dsmith Date: Tue, 14 Aug 2007 15:23:59 +0000 Subject: 2007-08-14 David Smith Merge from setuid-branch. Changes also by Martin Hunt . * staprun.c (init_staprun): Drop CAP_SYS_ADMIN when we're done with it. (main): Calls parse_modpath instead of path_parse_modname. Just call parse_modpath with argv[optind]. Let it allocate and set modpath and modname. If no modulename was given, display usage and exit. Drop CAP_SYS_NICE when we're done with it. Set atexit(exit_cleanup) so cleanup always gets called and modules get removed. Call handle_symbols. (run_stapio): Set argv[0] to stapio so that it executes as itself instead of staprun. (cleanup): Only do cleanups once and only try to remove module when appropriate. (exit_cleanup): New. Calls cleanup(). (mountfs): Sets uid to root before making directory and then restores uid. (setup_ctl_channel): Uses DEBUGFS define and improved error message. (setup_relayfs): Ditto. (setup_oldrelayfs): Uses DEBUGFS and RELAYFS defines. (run_stp_check): Replaced by mountfs(). (mountfs): New function. Replaces an external script with C code. (init_staprun): Calls mountfs() instead of run_stp_check(). * staprun.h: Renamed path_parse_modname to parse_modpath. Added MODULE_NAME_LEN define. Added [_][p]err macros. Removed VERSION_CMD. * mainloop.c (cleanup_and_exit): Make sure initialized is 2 before exiting with code 2. (stp_main_loop): Set initialized to 2 when STP_TRANSPORT is received. Call cleanup_and_exit() with proper status. (start_cmd): exit 1 instead of -1. (system_cmd): Ditto. (init_staprun): Renamed init_stapio. (cleanup_and_exit): Set exit status. * cap.c: New file. * common.c: New file. * stapio.c: New file. * staprun_funcs.c: New file. * Makefile: Removed. * symbols.c (get_sections): Move the filter code up so that uninteresting section names are filtered out before attempting to open them. (do_kernel_symbols): Better detect overfow conditions and realloc new space. (do_module): After sending all modules, send a null message to indicate we are finished. * ctl.c (init_ctl_channel): When attempting to attach, if the control channel doesn't exist, print a better error message. * relay_old.c (init_oldrelayfs): Errors out if open_relayfs_files() couldn't open any files. PR 4795 * mainloop.c (send_request): Fixed buffer overflow check. * staprun.h: Added buffer overflow checking versions of strcpy/sprintf/snprintf. * common.c (path_parse_modname): Checks for overflows on strcpy/sprintf/snprintf. (read_buffer_info): Ditto. * ctl.c (init_ctl_channel): Ditto. * relay.c (init_relayfs): Ditto. * relay_old.c (open_relayfs_files): Ditto. (init_oldrelayfs): Ditto. * staprun_funcs.c (insert_module): Ditto. (check_path): Ditto. * symbols.c (get_sections): Ditto. --- runtime/staprun/cap.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 runtime/staprun/cap.c (limited to 'runtime/staprun/cap.c') diff --git a/runtime/staprun/cap.c b/runtime/staprun/cap.c new file mode 100644 index 00000000..df4a7130 --- /dev/null +++ b/runtime/staprun/cap.c @@ -0,0 +1,158 @@ +/* -*- linux-c -*- + * + * cap.c - staprun capabilities functions + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * + */ + +#include "staprun.h" +#include + +/* like perror, but exits */ +#define ferror(msg) { \ + _perr(msg); \ + exit(1); \ + } \ + +/* + * init_cap() sets up the initial capabilities for staprun. Then + * it calls prctl( PR_SET_KEEPCAPS) to arrrange to keep these capabilities + * even when not running as root. Next it resets the real, effective, and + * saved uid and gid back to the normal user. + * + * There are two sets of capabilities we are concerned with; permitted + * and effective. The permitted capabilities are all the capabilities + * that this process is ever permitted to have. They are defined in init_cap() + * and may be permanently removed with drop_cap(). + * + * Effective capabilities are the capabilities from the permitted set + * that are currently enabled. A good practice would be to only enable + * capabilities when necessary and to delete or drop them as soon as possible. + * + * Capabilities we might use include: + * + * CAP_SYS_MODULE - insert and remove kernel modules + * CAP_SYS_ADMIN - misc, including mounting and unmounting + * CAP_SYS_NICE - setpriority() + * CAP_SETUID - allows setuid + * CAP_SETGID - allows setgid + * CAP_CHOWN - allows chown + */ + +int init_cap(void) +{ + cap_t caps = cap_init(); + cap_value_t capv[] = {CAP_SYS_MODULE, CAP_SYS_ADMIN, CAP_SYS_NICE, CAP_SETUID, CAP_SETGID}; + const int numcaps = sizeof(capv) / sizeof(capv[0]); + uid_t uid = getuid(); + gid_t gid = getgid(); + + cap_clear(caps); + if (caps == NULL) + ferror("cap_init"); + + if (cap_set_flag(caps, CAP_PERMITTED, numcaps, capv, CAP_SET) < 0) + ferror("cap_set_flag"); + + if (cap_set_proc(caps) < 0) + ferror("cap_set_proc"); + + cap_free(caps); + + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) + ferror("prctl"); + + if (setresuid(uid, uid, uid) < 0) + ferror("setresuid"); + + if (setresgid(gid, gid, gid) < 0) + ferror("setresgid"); + + return 1; +} + +void print_cap(char *text) +{ + int p; + cap_t caps = cap_get_proc(); + uid_t uid, euid, suid; + gid_t gid, egid, sgid; + + if (caps == NULL) { + perr("cap_get_proc"); + return; + } + + getresuid(&uid, &euid, &suid); + getresgid(&gid, &egid, &sgid); + + printf("***** %s\n", text); + + if ((p=prctl(PR_GET_KEEPCAPS, 0, 0, 0, 0)) < 0) + perr("Couldn't get PR_SET_KEEPCAPS flag value"); + else + printf("KEEPCAPS: %d\n", p); + + printf("uid: %d, euid: %d, suid: %d\ngid: %d. egid: %d, sgid: %d\n", + uid, euid, suid, gid, egid, sgid ); + printf("Caps: %s\n", cap_to_text(caps, NULL)); + cap_free(caps); + printf("*****\n\n"); +} + +/* drop_cap() permanently removes a capability from the permitted set. There is + * no way to recover the capability after this. You do not need to remove + * it from the effective set before calling this. + */ +void drop_cap(cap_value_t cap) +{ + cap_t caps = cap_get_proc(); + if (caps == NULL) + ferror("cap_get_proc failed"); + if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_CLEAR) < 0) + ferror("Could not clear effective capabilities"); + if (cap_set_proc(caps) < 0) + ferror("Could not apply capability set"); + cap_free(caps); +} + +/* add_cap() adds a permitted capability to the effective set. */ +void add_cap(cap_value_t cap) +{ + cap_t caps = cap_get_proc(); + if (caps == NULL) + ferror("cap_get_proc failed"); + if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) < 0) + ferror("Could not set effective capabilities"); + if (cap_set_proc(caps) < 0) + ferror("Could not apply capability set"); + cap_free(caps); +} + +/* del_cap() deletes a permitted capability from the effective set. */ +void del_cap(cap_value_t cap) +{ + cap_t caps = cap_get_proc(); + if (caps == NULL) + ferror("cap_get_proc failed"); + if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR) < 0) + ferror("Could not clear effective capabilities"); + if (cap_set_proc(caps) < 0) + ferror("Could not apply capability set"); + cap_free(caps); +} -- cgit