loolwsd/Capabilities.hpp | 6 +++++- loolwsd/LOOLKit.cpp | 19 +++++++++++++++++++ loolwsd/Makefile.am | 4 ++-- loolwsd/debian/loolwsd.postinst | 4 ++-- loolwsd/loolwsd.spec.in | 4 ++-- 5 files changed, 30 insertions(+), 7 deletions(-)
New commits: commit 509314d5598b68fa9a449a1a7348b10f25b7014a Author: Tor Lillqvist <t...@collabora.com> Date: Mon Feb 29 12:15:18 2016 +0200 Also chown the random devices to root:root and chmod to 666 Otherwise they won't work. Not that I know whether this helps anything, really. At least the NSS crypto initialization still takes a long time. diff --git a/loolwsd/LOOLKit.cpp b/loolwsd/LOOLKit.cpp index 3aaec05..969bfdb 100644 --- a/loolwsd/LOOLKit.cpp +++ b/loolwsd/LOOLKit.cpp @@ -876,12 +876,30 @@ void lokit_main(const std::string& childRoot, Log::error("Error: mknod(" + jailPath.toString() + "/dev/random) failed."); } + if (chmod((jailPath.toString() + "/dev/random").c_str(), 0666) != 0) + { + Log::error("Error: chmod(" + jailPath.toString() + "/dev/random, 0666) failed."); + + } + if (chown((jailPath.toString() + "/dev/random").c_str(), 0, 0) != 0) + { + Log::error("Error: chown(" + jailPath.toString() + "/dev/random, 0, 0) failed."); + + } if (mknod((jailPath.toString() + "/dev/urandom").c_str(), S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, makedev(1, 9)) != 0) { Log::error("Error: mknod(" + jailPath.toString() + "/dev/urandom) failed."); } + if (chmod((jailPath.toString() + "/dev/urandom").c_str(), 0666) != 0) + { + Log::error("Error: chmod(" + jailPath.toString() + "/dev/urandom, 0666) failed."); + } + if (chown((jailPath.toString() + "/dev/urandom").c_str(), 0, 0) != 0) + { + Log::error("Error: chown(" + jailPath.toString() + "/dev/urandom, 0, 0) failed."); + } #endif Log::info("chroot(\"" + jailPath.toString() + "\")"); @@ -900,6 +918,7 @@ void lokit_main(const std::string& childRoot, #ifdef __linux dropCapability(CAP_SYS_CHROOT); dropCapability(CAP_MKNOD); + dropCapability(CAP_CHOWN); dropCapability(CAP_FOWNER); #else dropCapability(); diff --git a/loolwsd/Makefile.am b/loolwsd/Makefile.am index ec507b7..a8674de 100644 --- a/loolwsd/Makefile.am +++ b/loolwsd/Makefile.am @@ -46,8 +46,8 @@ all-local: loolwsd loolbroker if test "$$BUILDING_FROM_RPMBUILD" != yes; then \ if test `uname -s` = Linux; then \ sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolwsd; \ - sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolbroker; \ - sudo @SETCAP@ cap_fowner,cap_mknod,cap_sys_chroot=ep loolkit; \ + sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolbroker; \ + sudo @SETCAP@ cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep loolkit; \ else \ sudo chown root loolwsd && sudo chmod u+s loolwsd; \ sudo chown root loolbroker && sudo chmod u+s loolbroker; \ diff --git a/loolwsd/debian/loolwsd.postinst b/loolwsd/debian/loolwsd.postinst index 6025356..ae4bb9e 100755 --- a/loolwsd/debian/loolwsd.postinst +++ b/loolwsd/debian/loolwsd.postinst @@ -5,8 +5,8 @@ set -e case "$1" in configure) setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd || true - setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit || true - setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker || true + setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit || true + setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker || true adduser --quiet --system --group --home /opt/lool lool mkdir -p /var/cache/loolwsd && chown lool: /var/cache/loolwsd diff --git a/loolwsd/loolwsd.spec.in b/loolwsd/loolwsd.spec.in index bae8447..c2dce99 100644 --- a/loolwsd/loolwsd.spec.in +++ b/loolwsd/loolwsd.spec.in @@ -70,8 +70,8 @@ echo "0 0 */1 * * root find /var/cache/loolwsd -name \"*.png\" -a -atime +10 -ex %post setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolwsd -setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolbroker -setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolkit +setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolbroker +setcap cap_fowner,cap_mknod,cap_chown,cap_sys_chroot=ep /usr/bin/loolkit getent group %{group} >/dev/null || groupadd -r %{group} getent passwd %{owner} >/dev/null || useradd -g %{group} -r %{owner} commit d489f693726bfa6b0bcc9c258e54b267221af0d4 Author: Tor Lillqvist <t...@collabora.com> Date: Mon Feb 29 12:12:18 2016 +0200 Log also capabilities before dropping diff --git a/loolwsd/Capabilities.hpp b/loolwsd/Capabilities.hpp index cb7e300..6c59c21 100644 --- a/loolwsd/Capabilities.hpp +++ b/loolwsd/Capabilities.hpp @@ -41,6 +41,10 @@ void dropCapability( exit(1); } + char *capText = cap_to_text(caps, nullptr); + Log::info("Capabilities first: " + std::string(capText)); + cap_free(capText); + if (cap_set_flag(caps, CAP_EFFECTIVE, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1 || cap_set_flag(caps, CAP_PERMITTED, sizeof(cap_list)/sizeof(cap_list[0]), cap_list, CAP_CLEAR) == -1) { @@ -54,7 +58,7 @@ void dropCapability( exit(1); } - char *capText = cap_to_text(caps, nullptr); + capText = cap_to_text(caps, nullptr); Log::info("Capabilities now: " + std::string(capText)); cap_free(capText); _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits