loolwsd/LOOLForKit.cpp | 72 +++++++++++++++++++++++++++++++++++++++++++++++++ loolwsd/Log.cpp | 2 - 2 files changed, 73 insertions(+), 1 deletion(-)
New commits: commit d0c856c535c3e2fca382a494e1c6f516e043e93a Author: Tor Lillqvist <t...@collabora.com> Date: Wed Oct 12 14:19:42 2016 +0300 Verify at run-time that the loolforkit program has the required capabilities If not, log a mesage and exit. Note that loolwsd does not notice that loolforkit exits. That is obviously a problem, and I will see to that next. diff --git a/loolwsd/LOOLForKit.cpp b/loolwsd/LOOLForKit.cpp index 735d0d7..4dc7b3a 100644 --- a/loolwsd/LOOLForKit.cpp +++ b/loolwsd/LOOLForKit.cpp @@ -109,6 +109,75 @@ public: } }; +static bool haveCapability(cap_value_t capability) +{ + cap_t caps = cap_get_proc(); + + if (caps == nullptr) + { + Log::syserror("cap_get_proc() failed."); + return false; + } + + char *cap_name = cap_to_name(capability); + cap_flag_value_t value; + + if (cap_get_flag(caps, capability, CAP_EFFECTIVE, &value) == -1) + { + if (cap_name) + { + Log::syserror("cap_get_flag failed for " + std::string(cap_name) + "."); + cap_free(cap_name); + } + else + { + Log::syserror("cap_get_flag failed for capability " + std::to_string(capability) + "."); + } + return false; + } + + if (value != CAP_SET) + { + if (cap_name) + { + Log::error("Capability " + std::string(cap_name) + " is not set for the loolkit program."); + cap_free(cap_name); + } + else + { + Log::error("Capability " + std::to_string(capability) + " is not set for the loolkit program."); + } + return false; + } + + if (cap_name) + { + Log::info("Have capability " + std::string(cap_name)); + cap_free(cap_name); + } + else + { + Log::info("Have capability " + std::to_string(capability)); + } + + return true; +} + +static bool haveCorrectCapabilities() +{ + bool result = true; + + // Do check them all, don't shortcut with && + if (!haveCapability(CAP_SYS_CHROOT)) + result = false; + if (!haveCapability(CAP_MKNOD)) + result = false; + if (!haveCapability(CAP_SYS_CHROOT)) + result = false; + + return result; +} + /// Check if some previously forked kids have died. static void cleanupChildren() { @@ -211,6 +280,9 @@ int main(int argc, char** argv) Log::initialize("frk", logLevel ? logLevel : "", logColor != nullptr, logToFile, logProperties); + if (!haveCorrectCapabilities()) + return Application::EXIT_SOFTWARE; + Util::setTerminationSignals(); Util::setFatalSignals(); commit 07354f6f45107f74677e4ce25ecdd38702eed3cd Author: Tor Lillqvist <t...@collabora.com> Date: Wed Oct 12 14:12:38 2016 +0300 'syserror' does not correspond to a message priority level Calling Log::syserror() just means errno is relevant and its string should be included in the log line. It is the error() function of the logger that it calls. So don't mark log lines produced by calling Log::syserror() with a separate "SYS" marker, but use the same "ERR" as for Log::error(). diff --git a/loolwsd/Log.cpp b/loolwsd/Log.cpp index 1707f65..9885d9f 100644 --- a/loolwsd/Log.cpp +++ b/loolwsd/Log.cpp @@ -184,7 +184,7 @@ namespace Log void syserror(const std::string& msg) { - logger().error(prefix("SYS") + msg + " (errno: " + std::string(std::strerror(errno)) + ")"); + logger().error(prefix("ERR") + msg + " (errno: " + std::string(std::strerror(errno)) + ")"); } } _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits