Merge pull request #1043 from Hummer12007/caps

Keep CAP_SYS_PTRACE with suid binary
author: Drew DeVault <sir@cmpwn.com> 2017-01-12 11:39:14 -0500
committer: GitHub <noreply@github.com> 2017-01-12 11:39:14 -0500
commit: 307e8afde29fcd4b51cd25d34b465980a0bfd686 (patch)
tree: bcfca21ab99e7ad31f0805cc08a80b6c15c3d287
parent: Fix #1008 (diff)
parent: Log capability dropping (diff)
download: sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.tar.gz
sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.tar.zst
sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/sway/main.c b/sway/main.c
index e8a02e7a..7bf71b53 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -10,6 +10,9 @@
 #include <unistd.h>
 #include <getopt.h>
 #include <sys/capability.h>
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
 #include "sway/extensions.h"
 #include "sway/layout.h"
 #include "sway/config.h"
@@ -289,6 +292,18 @@ int main(int argc, char **argv) {
                return 0;
        }
+#ifdef __linux__
+        bool suid = false;
+        if (getuid() != geteuid() || getgid() != getegid()) {
+                // Retain capabilities after setuid()
+                if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+                        sway_log(L_ERROR, "Cannot keep caps after setuid()");
+                        exit(EXIT_FAILURE);
+                }
+                suid = true;
+        }
+#endif
        // we need to setup logging before wlc_init in case it fails.
        if (debug) {
                init_log(L_DEBUG);
@@ -311,6 +326,20 @@ int main(int argc, char **argv) {
        }
        register_extensions();
+#ifdef __linux__
+        if (suid) {
+                // Drop every cap except CAP_SYS_PTRACE
+                cap_t caps = cap_init();
+                cap_value_t keep = CAP_SYS_PTRACE;
+                sway_log(L_INFO, "Dropping extra capabilities");
+                if (cap_set_flag(caps, CAP_PERMITTED, 1, &keep, CAP_SET) ||
+                        cap_set_flag(caps, CAP_EFFECTIVE, 1, &keep, CAP_SET) ||
+                        cap_set_proc(caps)) {
+                        sway_log(L_ERROR, "Failed to drop extra capabilities");
+                        exit(EXIT_FAILURE);
+                }
+        }
+#endif
        // handle SIGTERM signals
        signal(SIGTERM, sig_handler);
author	Drew DeVault <sir@cmpwn.com>	2017-01-12 11:39:14 -0500
committer	GitHub <noreply@github.com>	2017-01-12 11:39:14 -0500
commit	307e8afde29fcd4b51cd25d34b465980a0bfd686 (patch)
tree	bcfca21ab99e7ad31f0805cc08a80b6c15c3d287
parent	Fix #1008 (diff)
parent	Log capability dropping (diff)
download	sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.tar.gz sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.tar.zst sway-307e8afde29fcd4b51cd25d34b465980a0bfd686.zip

diff --git a/sway/main.c b/sway/main.c index e8a02e7a..7bf71b53 100644 --- a/sway/main.c +++ b/sway/main.c
@@ -10,6 +10,9 @@
10	#include <unistd.h>	10	#include <unistd.h>
11	#include <getopt.h>	11	#include <getopt.h>
12	#include <sys/capability.h>	12	#include <sys/capability.h>
		13	#ifdef __linux__
		14	#include <sys/prctl.h>
		15	#endif
13	#include "sway/extensions.h"	16	#include "sway/extensions.h"
14	#include "sway/layout.h"	17	#include "sway/layout.h"
15	#include "sway/config.h"	18	#include "sway/config.h"
@@ -289,6 +292,18 @@ int main(int argc, char **argv) {
289	return 0;	292	return 0;
290	}	293	}
291		294
		295	#ifdef __linux__
		296	bool suid = false;
		297	if (getuid() != geteuid() \|\| getgid() != getegid()) {
		298	// Retain capabilities after setuid()
		299	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
		300	sway_log(L_ERROR, "Cannot keep caps after setuid()");
		301	exit(EXIT_FAILURE);
		302	}
		303	suid = true;
		304	}
		305	#endif
		306
292	// we need to setup logging before wlc_init in case it fails.	307	// we need to setup logging before wlc_init in case it fails.
293	if (debug) {	308	if (debug) {
294	init_log(L_DEBUG);	309	init_log(L_DEBUG);
@@ -311,6 +326,20 @@ int main(int argc, char **argv) {
311	}	326	}
312	register_extensions();	327	register_extensions();
313		328
		329	#ifdef __linux__
		330	if (suid) {
		331	// Drop every cap except CAP_SYS_PTRACE
		332	cap_t caps = cap_init();
		333	cap_value_t keep = CAP_SYS_PTRACE;
		334	sway_log(L_INFO, "Dropping extra capabilities");
		335	if (cap_set_flag(caps, CAP_PERMITTED, 1, &keep, CAP_SET) \|\|
		336	cap_set_flag(caps, CAP_EFFECTIVE, 1, &keep, CAP_SET) \|\|
		337	cap_set_proc(caps)) {
		338	sway_log(L_ERROR, "Failed to drop extra capabilities");
		339	exit(EXIT_FAILURE);
		340	}
		341	}
		342	#endif
314	// handle SIGTERM signals	343	// handle SIGTERM signals
315	signal(SIGTERM, sig_handler);	344	signal(SIGTERM, sig_handler);
316		345