Author: jajcus
Date: Mon May 10 16:31:45 2010
New Revision: 11423
Modified:
rc-scripts/trunk/configure.ac
rc-scripts/trunk/man/start-stop-daemon.8
rc-scripts/trunk/rc.d/init.d/functions
rc-scripts/trunk/src/Makefile.am
rc-scripts/trunk/src/start-stop-daemon.c
Log:
- 'dropcaps' and 'start-stop-daemon-pid-check' patches from packages/rc-scripts
applied
Modified: rc-scripts/trunk/configure.ac
==============================================================================
--- rc-scripts/trunk/configure.ac (original)
+++ rc-scripts/trunk/configure.ac Mon May 10 16:31:45 2010
@@ -91,7 +91,7 @@
DPKG_C_GCC_ATTRIBUTE(format...,format,[char *y,
...],[format(printf,1,2)],PRINTFFORMAT,[Define if printf-format argument lists
a la GCC are available.]))
AC_CHECK_TYPE(ptrdiff_t,int)
-AC_CHECK_HEADERS([stddef.h])
+AC_CHECK_HEADERS([stddef.h sys/capability.h])
dnl Output
AC_SUBST(BASHSCRIPTS)
Modified: rc-scripts/trunk/man/start-stop-daemon.8
==============================================================================
--- rc-scripts/trunk/man/start-stop-daemon.8 (original)
+++ rc-scripts/trunk/man/start-stop-daemon.8 Mon May 10 16:31:45 2010
@@ -203,6 +203,9 @@
before starting the process. Please note that the pidfile is also written
after the chroot.
.TP
+.BR \-D ", " \-\-dropcap " \fIcapabilities1,capabilities2\fP"
+Drop theses capabilities separated by commas.
+.TP
\fB\-d\fP|\fB\-\-chdir\fP \fIpath\fP
Chdir to
.I path
Modified: rc-scripts/trunk/rc.d/init.d/functions
==============================================================================
--- rc-scripts/trunk/rc.d/init.d/functions (original)
+++ rc-scripts/trunk/rc.d/init.d/functions Mon May 10 16:31:45 2010
@@ -625,6 +625,7 @@
${chdir:+--chdir "$chdir"} \
${fork:+--background} \
${waitname:+--name $waitname} \
+ ${SERVICE_DROPCAPS:+--dropcap
$SERVICE_DROPCAPS} \
--exec "$prog" \
-- ${1:+"$@"}
else
Modified: rc-scripts/trunk/src/Makefile.am
==============================================================================
--- rc-scripts/trunk/src/Makefile.am (original)
+++ rc-scripts/trunk/src/Makefile.am Mon May 10 16:31:45 2010
@@ -66,6 +66,7 @@
consoletype_SOURCES = consoletype.c
start_stop_daemon_SOURCES = start-stop-daemon.c
+start_stop_daemon_LDADD = -lcap
setuidgid_SOURCES = setuidgid.c
Modified: rc-scripts/trunk/src/start-stop-daemon.c
==============================================================================
--- rc-scripts/trunk/src/start-stop-daemon.c (original)
+++ rc-scripts/trunk/src/start-stop-daemon.c Mon May 10 16:31:45 2010
@@ -62,6 +62,11 @@
#include <limits.h>
#endif
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/prctl.h>
+#include <sys/capability.h>
+#endif
+
#if defined(OShpux)
#include <sys/param.h>
#include <sys/pstat.h>
@@ -117,6 +122,7 @@
static const char *schedule_str = NULL;
static const char *progname = "";
static int nicelevel = 0;
+static char *caplist = NULL;
static struct stat exec_stat;
#if defined(OSHURD)
@@ -278,6 +284,7 @@
" -n|--name <process-name> stop processes with this name\n"
" -s|--signal <signal> signal to send (default TERM)\n"
" -a|--startas <pathname> program to start (default is <executable>)\n"
+" -D|--dropcap <capbilities> drop theses capabilities\n"
" -C|--chdir <directory> Change to <directory>(default is /)\n"
" -N|--nicelevel <incr> add incr to the process's nice level\n"
" -b|--background force the process to detach\n"
@@ -442,6 +449,46 @@
}
}
+#ifdef HAVE_SYS_CAPABILITY_H
+static void
+remove_capabilities(char *capstr) {
+ cap_value_t capval;
+ char *savedptr, *ptr;
+ cap_t caps;
+
+ caps = cap_get_proc();
+ if (caps == NULL) {
+ fatal("Unable to retrieve my capabilities");
+ }
+
+ ptr = strtok_r(capstr, ",", &savedptr);
+ while (ptr) {
+ if (cap_from_name(ptr, &capval) != 0) {
+ errno = EINVAL;
+ fatal("Unable to parse this capability : \"%s\"", ptr);
+ }
+
+ if (prctl(PR_CAPBSET_DROP, capval, 0, 0) != 0) {
+ fatal("Unable to drop this capability: %s", ptr);
+ }
+
+ if (cap_set_flag(caps, CAP_INHERITABLE, 1, (cap_value_t
*)&capval, CAP_CLEAR) != 0) {
+ fatal("Unable to clear the capability %s", ptr);
+ }
+
+ ptr = strtok_r(NULL, ",", &savedptr);
+ }
+
+ if (cap_set_proc(caps) != 0) {
+ fatal("Unable to remove theses capabilities from the inherited
set\n");
+ }
+
+ if (cap_free(caps) == -1) {
+ fatal("Cannot free the capability");
+ }
+}
+#endif
+
static void
parse_options(int argc, char * const *argv)
{
@@ -460,6 +507,7 @@
{ "user", 1, NULL, 'u'},
{ "group", 1, NULL, 'g'},
{ "chroot", 1, NULL, 'r'},
+ { "dropcap", 1, NULL, 'D'},
{ "verbose", 0, NULL, 'v'},
{ "exec", 1, NULL, 'x'},
{ "chuid", 1, NULL, 'c'},
@@ -473,7 +521,7 @@
int c;
for (;;) {
- c = getopt_long(argc, argv,
"HKSVa:n:op:qr:s:tu:vx:c:N:bmR:g:d:",
+ c = getopt_long(argc, argv,
"HKSVa:n:op:qr:s:tu:vx:c:N:bmR:g:d:D",
longopts, (int *) 0);
if (c == -1)
break;
@@ -533,6 +581,13 @@
case 'r': /* --chroot /new/root */
changeroot = optarg;
break;
+ case 'D': /* --dropcap cap_net_raw,cap_mac_admin */
+#ifdef HAVE_SYS_CAPABILITY_H
+ caplist = optarg;
+#else
+ badusage("Capabilities are not supported on your OS");
+#endif
+ break;
case 'N': /* --nice */
nicelevel = atoi(optarg);
break;
@@ -736,7 +791,8 @@
return;
if (start && !pid_is_running(pid))
return;
- push(&found, pid);
+ if (stop && pid_is_running(pid))
+ push(&found, pid);
}
static void
@@ -1298,6 +1354,13 @@
setpgid(0,0);
#endif
}
+
+#ifdef HAVE_SYS_CAPABILITY_H
+ if (caplist) {
+ remove_capabilities(caplist);
+ }
+#endif
+
execv(startas, argv);
fatal("Unable to start %s: %s", startas, strerror(errno));
}
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
