loolwsd/LOOLForKit.cpp | 72 +++++++++++++++++++++++++++++++++++++++++++++++++
loolwsd/Log.cpp | 2 -
2 files changed, 73 insertions(+), 1 deletion(-)
New commits:
commit d0c856c535c3e2fca382a494e1c6f516e043e93a
Author: Tor Lillqvist <t...@collabora.com>
Date: Wed Oct 12 14:19:42 2016 +0300
Verify at run-time that the loolforkit program has the required capabilities
If not, log a mesage and exit.
Note that loolwsd does not notice that loolforkit exits. That is
obviously a problem, and I will see to that next.
diff --git a/loolwsd/LOOLForKit.cpp b/loolwsd/LOOLForKit.cpp
index 735d0d7..4dc7b3a 100644
--- a/loolwsd/LOOLForKit.cpp
+++ b/loolwsd/LOOLForKit.cpp
@@ -109,6 +109,75 @@ public:
}
};
+static bool haveCapability(cap_value_t capability)
+{
+ cap_t caps = cap_get_proc();
+
+ if (caps == nullptr)
+ {
+ Log::syserror("cap_get_proc() failed.");
+ return false;
+ }
+
+ char *cap_name = cap_to_name(capability);
+ cap_flag_value_t value;
+
+ if (cap_get_flag(caps, capability, CAP_EFFECTIVE, &value) == -1)
+ {
+ if (cap_name)
+ {
+ Log::syserror("cap_get_flag failed for " + std::string(cap_name) +
".");
+ cap_free(cap_name);
+ }
+ else
+ {
+ Log::syserror("cap_get_flag failed for capability " +
std::to_string(capability) + ".");
+ }
+ return false;
+ }
+
+ if (value != CAP_SET)
+ {
+ if (cap_name)
+ {
+ Log::error("Capability " + std::string(cap_name) + " is not set
for the loolkit program.");
+ cap_free(cap_name);
+ }
+ else
+ {
+ Log::error("Capability " + std::to_string(capability) + " is not
set for the loolkit program.");
+ }
+ return false;
+ }
+
+ if (cap_name)
+ {
+ Log::info("Have capability " + std::string(cap_name));
+ cap_free(cap_name);
+ }
+ else
+ {
+ Log::info("Have capability " + std::to_string(capability));
+ }
+
+ return true;
+}
+
+static bool haveCorrectCapabilities()
+{
+ bool result = true;
+
+ // Do check them all, don't shortcut with &&
+ if (!haveCapability(CAP_SYS_CHROOT))
+ result = false;
+ if (!haveCapability(CAP_MKNOD))
+ result = false;
+ if (!haveCapability(CAP_SYS_CHROOT))
+ result = false;
+
+ return result;
+}
+
/// Check if some previously forked kids have died.
static void cleanupChildren()
{
@@ -211,6 +280,9 @@ int main(int argc, char** argv)
Log::initialize("frk", logLevel ? logLevel : "", logColor != nullptr,
logToFile, logProperties);
+ if (!haveCorrectCapabilities())
+ return Application::EXIT_SOFTWARE;
+
Util::setTerminationSignals();
Util::setFatalSignals();
commit 07354f6f45107f74677e4ce25ecdd38702eed3cd
Author: Tor Lillqvist <t...@collabora.com>
Date: Wed Oct 12 14:12:38 2016 +0300
'syserror' does not correspond to a message priority level
Calling Log::syserror() just means errno is relevant and its string
should be included in the log line. It is the error() function of the
logger that it calls.
So don't mark log lines produced by calling Log::syserror() with a
separate "SYS" marker, but use the same "ERR" as for Log::error().
diff --git a/loolwsd/Log.cpp b/loolwsd/Log.cpp
index 1707f65..9885d9f 100644
--- a/loolwsd/Log.cpp
+++ b/loolwsd/Log.cpp
@@ -184,7 +184,7 @@ namespace Log
void syserror(const std::string& msg)
{
- logger().error(prefix("SYS") + msg + " (errno: " +
std::string(std::strerror(errno)) + ")");
+ logger().error(prefix("ERR") + msg + " (errno: " +
std::string(std::strerror(errno)) + ")");
}
}
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
