diff options
Diffstat (limited to 'daemon/gkd-capability.c')
-rw-r--r-- | daemon/gkd-capability.c | 54 |
1 files changed, 34 insertions, 20 deletions
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c index 9afe3039..6eb7ed75 100644 --- a/daemon/gkd-capability.c +++ b/daemon/gkd-capability.c @@ -1,7 +1,7 @@ /* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 8; tab-width: 8 -*- */ /* gkd-capability.c - the security-critical initial phase of the daemon * - * Copyright (C) 2011 Steve Grubb + * Copyright (C) 2011,2020 Steve Grubb * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as @@ -35,9 +35,10 @@ /* No logging, no gettext */ static void -early_error (const char *err_string) +early_error (const char *err_string, int rc) { - fprintf (stderr, "gnome-keyring-daemon: %s, aborting\n", err_string); + fprintf (stderr, "gnome-keyring-daemon: %s - %d, aborting\n", + err_string, rc); exit (1); } @@ -64,6 +65,8 @@ void gkd_capability_obtain_capability_and_drop_privileges (void) { #ifdef HAVE_LIBCAPNG + int rc; + capng_get_caps_process (); switch (capng_have_capabilities (CAPNG_SELECT_CAPS)) { @@ -73,32 +76,43 @@ gkd_capability_obtain_capability_and_drop_privileges (void) capng_update (CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_IPC_LOCK); - if (capng_change_id (getuid (), getgid (), 0)) - early_error ("failed dropping capabilities"); + if ((rc = capng_change_id (getuid (), getgid (), + CAPNG_DROP_SUPP_GRP| + CAPNG_CLEAR_BOUNDING))) { + early_error ("failed dropping capabilities", + rc); + } break; case CAPNG_FAIL: - early_error ("error getting process capabilities"); + early_error ("error getting process capabilities", 0); break; case CAPNG_NONE: - early_warning ("insufficient process capabilities, insecure memory might get used"); + early_warning ("no process capabilities, insecure memory might get used"); break; - case CAPNG_PARTIAL: /* File system based capabilities */ - if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) { + case CAPNG_PARTIAL: { /* File system based capabilities */ + capng_select_t set = CAPNG_SELECT_CAPS; + if (!capng_have_capability (CAPNG_EFFECTIVE, + CAP_IPC_LOCK)) { early_warning ("insufficient process capabilities, insecure memory might get used"); - /* Drop all capabilities */ - capng_clear (CAPNG_SELECT_BOTH); - capng_apply (CAPNG_SELECT_BOTH); - break; } - /* Drop all capabilities except ipc_lock */ + /* If we don't have CAP_SETPCAP, we can't update the + * bounding set */ + if (capng_have_capability (CAPNG_EFFECTIVE, + CAP_SETPCAP)) { + set = CAPNG_SELECT_BOTH; + } + + /* Drop all capabilities except ipc_lock */ capng_clear (CAPNG_SELECT_BOTH); - if (capng_update (CAPNG_ADD, - CAPNG_EFFECTIVE|CAPNG_PERMITTED, - CAP_IPC_LOCK) != 0) - early_error ("error dropping process capabilities"); - if (capng_apply (CAPNG_SELECT_BOTH) != 0) - early_error ("error dropping process capabilities"); + if ((rc = capng_update (CAPNG_ADD, + CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_IPC_LOCK)) != 0) { + early_error ("error updating process capabilities", rc); + } + if ((rc = capng_apply (set)) != 0) { + early_error ("error dropping process capabilities", rc); + }} /* Extra brace for local variable declaration */ break; } #endif /* HAVE_LIBCAPNG */ |