Commit 2cd77aef authored by Marek Vavrusa's avatar Marek Vavrusa

Allow DAC on all, but worker threads.

Required for saving transferred zones.

refs #1556
parent 88d49608
......@@ -193,9 +193,10 @@ int main(int argc, char **argv)
capng_clear(CAPNG_SELECT_BOTH);
/* Retain ability to set capabilities. */
/* Retain ability to set capabilities and FS access. */
capng_type_t tp = CAPNG_EFFECTIVE|CAPNG_PERMITTED;
capng_update(CAPNG_ADD, tp, CAP_SETPCAP);
capng_update(CAPNG_ADD, tp, CAP_DAC_OVERRIDE);
/* Allow binding to privileged ports.
* (Not inheritable)
......
......@@ -127,10 +127,12 @@ static void *thread_ep(void *data)
dbg_dt("dthreads: [%p] entered ep\n", thread);
// Drop capabilities
/* Drop capabilities except FS access. */
#ifdef HAVE_CAP_NG_H
if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
capng_type_t tp = CAPNG_EFFECTIVE|CAPNG_PERMITTED;
capng_clear(CAPNG_SELECT_BOTH);
capng_update(CAPNG_ADD, tp, CAP_DAC_OVERRIDE);
capng_apply(CAPNG_SELECT_BOTH);
}
#endif /* HAVE_CAP_NG_H */
......
......@@ -24,6 +24,9 @@
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_CAP_NG_H
#include <cap-ng.h>
#endif /* HAVE_CAP_NG_H */
#include "common/sockaddr.h"
#include "common/skip-list.h"
......@@ -487,6 +490,14 @@ int tcp_loop_worker(dthread_t *thread)
return KNOTD_EINVAL;
}
/* Drop all capabilities on workers. */
#ifdef HAVE_CAP_NG_H
if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
capng_clear(CAPNG_SELECT_BOTH);
capng_apply(CAPNG_SELECT_BOTH);
}
#endif /* HAVE_CAP_NG_H */
/* Next sweep time. */
struct timespec next_sweep;
clock_gettime(CLOCK_MONOTONIC, &next_sweep);
......
......@@ -31,6 +31,9 @@
#include <string.h>
#include <assert.h>
#include <errno.h>
#ifdef HAVE_CAP_NG_H
#include <cap-ng.h>
#endif /* HAVE_CAP_NG_H */
#include "common/sockaddr.h"
#include "knot/common.h"
......@@ -466,6 +469,15 @@ int udp_master(dthread_t *thread)
stat_t *thread_stat = 0;
STAT_INIT(thread_stat); //XXX new stat instance every time.
stat_set_protocol(thread_stat, stat_UDP);
/* Drop all capabilities on workers. */
#ifdef HAVE_CAP_NG_H
if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
capng_clear(CAPNG_SELECT_BOTH);
capng_apply(CAPNG_SELECT_BOTH);
}
#endif /* HAVE_CAP_NG_H */
/* Execute proper handler. */
dbg_net_verb("udp: thread started (worker %p).\n", thread);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment