[people/ms/network.git] / src / networkd / main.c

/*#############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2023 IPFire Network Development Team                          #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
#############################################################################*/

#include <grp.h>
#include <linux/capability.h>
#include <pwd.h>
#include <stddef.h>
#include <sys/capability.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <unistd.h>

#include "daemon.h"
#include "logging.h"

static int cap_acquire_setpcap(void) {
	cap_flag_value_t value;
	int r;

	// Fetch current capabilities
	cap_t caps = cap_get_proc();

	// Check if CAP_SETPCAP is already enabled
	r = cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &value);
	if (r) {
		ERROR("The kernel does not seem to know CAP_SETPCAP: %m\n");
		goto ERROR;
	}

	// It CAP_SETPCAP isn't set, we will try to set it
	if (value != CAP_SET) {
		const cap_value_t cap = CAP_SETPCAP;

		r = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
		if (r) {
			ERROR("Could not set CAP_SETPCAP: %m\n");
			goto ERROR;
		}

		// Store capabilities
		r = cap_set_proc(caps);
		if (r) {
			ERROR("Could not acquire effective CAP_SETPCAP capability: %m\n");
			goto ERROR;
		}
	}

ERROR:
	if (caps)
		cap_free(caps);

	return r;
}

static cap_flag_value_t keep_cap(const cap_value_t cap, const cap_value_t* keep_caps) {
	for (const cap_value_t* c = keep_caps; *c; c++) {
		if (cap == *c)
			return CAP_SET;
	}

	return CAP_CLEAR;
}

static int drop_capabilities(void) {
	int r;

	const cap_value_t keep_caps[] = {
		CAP_NET_ADMIN,
		CAP_NET_BIND_SERVICE,
		CAP_NET_BROADCAST,
		CAP_NET_RAW,
		0,
	};

	// Acquire CAP_SETPCAP
	r = cap_acquire_setpcap();
	if (r)
		return r;

	// Fetch the current set of capabilities
	cap_t caps = cap_get_proc();

	// Drop all capabilities that we do not need
	for (cap_value_t cap = 1; cap <= CAP_LAST_CAP; cap++) {
		// Skip any capabilities we would like to skip
		cap_flag_value_t flag = keep_cap(cap, keep_caps);

		// Drop the capability from the bounding set
		if (flag == CAP_CLEAR) {
			r = prctl(PR_CAPBSET_DROP, cap);
			if (r) {
				ERROR("Could not drop capability from the bounding set: %m\n");
				goto ERROR;
			}
		}

		r = cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, CAP_CLEAR);
		if (r) {
			ERROR("Could not set capability %d: %m\n", (int)cap);
			goto ERROR;
		}

		r = cap_set_flag(caps, CAP_PERMITTED, 1, &cap, flag);
		if (r) {
			ERROR("Could not set capability %d: %m\n", (int)cap);
			goto ERROR;
		}

		r = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
		if (r) {
			ERROR("Could not set capability %d: %m\n", (int)cap);
			goto ERROR;
		}
	}

	// Restore capabilities
	r = cap_set_proc(caps);
	if (r) {
		ERROR("Could not restore capabilities: %m\n");
		goto ERROR;
	}

ERROR:
	if (caps)
		cap_free(caps);

	return r;
}

static int drop_privileges(const char* user) {
	struct passwd* passwd = NULL;
	int r;

	// Fetch the current user
	uid_t current_uid = getuid();

	// If we have not been launched by root, we will assume that we have already
	// been launched with a minimal set of privileges.
	if (current_uid > 0)
		return 0;

	DEBUG("Dropping privileges...\n");

	// Fetch information about the desired user
	passwd = getpwnam(user);
	if (!passwd) {
		ERROR("Could not find user %s: %m\n", user);
		return 1;
	}

	uid_t uid = passwd->pw_uid;
	gid_t gid = passwd->pw_gid;

	// Change group
	r = setresgid(gid, gid, gid);
	if (r) {
		ERROR("Could not change group to %d: %m\n", gid);
		return 1;
	}

	// Set any supplementary groups
	r = setgroups(0, NULL);
	if (r) {
		ERROR("Could not set supplementary groups: %m\n");
		return 1;
	}

	// Do not drop any capabilities when we change to the new user
	r = prctl(PR_SET_KEEPCAPS, 1);
	if (r) {
		ERROR("Could not set PR_SET_KEEPCAPS: %m\n");
		return 1;
	}

	// Change to the new user
	r = setresuid(uid, uid, uid);
	if (r) {
		ERROR("Could not change user to %d: %m\n", uid);
		return 1;
	}

	// Reset PR_SET_KEEPCAPS
	r = prctl(PR_SET_KEEPCAPS, 0);
	if (r) {
		ERROR("Could not set PR_SET_KEEPCAPS: %m\n");
		return 1;
	}

	// Drop capabilities
	r = drop_capabilities();
	if (r)
		return r;

	return 0;
}

int main(int argc, char** argv) {
	struct nw_daemon* daemon = NULL;
	int r;

	// Drop privileges
	r = drop_privileges("network");
	if (r)
		return r;

	// Create the daemon
	r = nw_daemon_create(&daemon);
	if (r)
		return r;

	// Run the daemon
	r = nw_daemon_run(daemon);

	// Cleanup
	if (daemon)
		nw_daemon_unref(daemon);

	return r;
}
Commit	Line	Data
050f4ece MT	1	/*#############################################################################
	2	# #
	3	# IPFire.org - A linux based firewall #
	4	# Copyright (C) 2023 IPFire Network Development Team #
	5	# #
	6	# This program is free software: you can redistribute it and/or modify #
	7	# it under the terms of the GNU General Public License as published by #
	8	# the Free Software Foundation, either version 3 of the License, or #
	9	# (at your option) any later version. #
	10	# #
	11	# This program is distributed in the hope that it will be useful, #
	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	14	# GNU General Public License for more details. #
	15	# #
	16	# You should have received a copy of the GNU General Public License #
	17	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	18	# #
	19	#############################################################################*/
	20
eb3f6449	21	#include <grp.h>
dabf344d	22	#include <linux/capability.h>
eb3f6449	23	#include <pwd.h>
8a88982f	24	#include <stddef.h>
dabf344d	25	#include <sys/capability.h>
eb3f6449 MT	26	#include <sys/prctl.h>
	27	#include <sys/types.h>
	28	#include <unistd.h>
26acbb4e	29
112358f3	30	#include "daemon.h"
eb3f6449 MT	31	#include "logging.h"
eb3f6449 MT	32
dabf344d MT	33	static int cap_acquire_setpcap(void) {
	34	cap_flag_value_t value;
	35	int r;
	36
	37	// Fetch current capabilities
	38	cap_t caps = cap_get_proc();
	39
	40	// Check if CAP_SETPCAP is already enabled
	41	r = cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &value);
	42	if (r) {
	43	ERROR("The kernel does not seem to know CAP_SETPCAP: %m\n");
	44	goto ERROR;
	45	}
	46
	47	// It CAP_SETPCAP isn't set, we will try to set it
	48	if (value != CAP_SET) {
	49	const cap_value_t cap = CAP_SETPCAP;
	50
	51	r = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
	52	if (r) {
	53	ERROR("Could not set CAP_SETPCAP: %m\n");
	54	goto ERROR;
	55	}
	56
	57	// Store capabilities
	58	r = cap_set_proc(caps);
	59	if (r) {
	60	ERROR("Could not acquire effective CAP_SETPCAP capability: %m\n");
	61	goto ERROR;
	62	}
	63	}
	64
	65	ERROR:
	66	if (caps)
	67	cap_free(caps);
	68
	69	return r;
	70	}
	71
	72	static cap_flag_value_t keep_cap(const cap_value_t cap, const cap_value_t* keep_caps) {
	73	for (const cap_value_t* c = keep_caps; *c; c++) {
	74	if (cap == *c)
	75	return CAP_SET;
	76	}
	77
	78	return CAP_CLEAR;
	79	}
	80
	81	static int drop_capabilities(void) {
	82	int r;
	83
	84	const cap_value_t keep_caps[] = {
	85	CAP_NET_ADMIN,
	86	CAP_NET_BIND_SERVICE,
	87	CAP_NET_BROADCAST,
	88	CAP_NET_RAW,
	89	0,
	90	};
	91
	92	// Acquire CAP_SETPCAP
	93	r = cap_acquire_setpcap();
	94	if (r)
	95	return r;
	96
97	// Fetch the current set of capabilities
98	cap_t caps = cap_get_proc();
99
100	// Drop all capabilities that we do not need
101	for (cap_value_t cap = 1; cap <= CAP_LAST_CAP; cap++) {
102	// Skip any capabilities we would like to skip
103	cap_flag_value_t flag = keep_cap(cap, keep_caps);
104
105	// Drop the capability from the bounding set
106	if (flag == CAP_CLEAR) {
107	r = prctl(PR_CAPBSET_DROP, cap);
108	if (r) {
109	ERROR("Could not drop capability from the bounding set: %m\n");
110	goto ERROR;
111	}
112	}
113
114	r = cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, CAP_CLEAR);
115	if (r) {
116	ERROR("Could not set capability %d: %m\n", (int)cap);
117	goto ERROR;
118	}
119
120	r = cap_set_flag(caps, CAP_PERMITTED, 1, &cap, flag);
121	if (r) {
122	ERROR("Could not set capability %d: %m\n", (int)cap);
123	goto ERROR;
124	}
125
126	r = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
127	if (r) {
128	ERROR("Could not set capability %d: %m\n", (int)cap);
129	goto ERROR;
130	}
131	}
132
133	// Restore capabilities
134	r = cap_set_proc(caps);
135	if (r) {
136	ERROR("Could not restore capabilities: %m\n");
137	goto ERROR;
138	}
139
140	ERROR:
141	if (caps)
142	cap_free(caps);
143
144	return r;
145	}
146
eb3f6449 MT	147	static int drop_privileges(const char* user) {
	148	struct passwd* passwd = NULL;
	149	int r;
	150
	151	// Fetch the current user
	152	uid_t current_uid = getuid();
	153
	154	// If we have not been launched by root, we will assume that we have already
	155	// been launched with a minimal set of privileges.
	156	if (current_uid > 0)
	157	return 0;
	158
	159	DEBUG("Dropping privileges...\n");
	160
	161	// Fetch information about the desired user
	162	passwd = getpwnam(user);
	163	if (!passwd) {
	164	ERROR("Could not find user %s: %m\n", user);
	165	return 1;
	166	}
	167
	168	uid_t uid = passwd->pw_uid;
	169	gid_t gid = passwd->pw_gid;
	170
	171	// Change group
	172	r = setresgid(gid, gid, gid);
	173	if (r) {
	174	ERROR("Could not change group to %d: %m\n", gid);
	175	return 1;
	176	}
	177
	178	// Set any supplementary groups
	179	r = setgroups(0, NULL);
	180	if (r) {
	181	ERROR("Could not set supplementary groups: %m\n");
	182	return 1;
	183	}
	184
	185	// Do not drop any capabilities when we change to the new user
	186	r = prctl(PR_SET_KEEPCAPS, 1);
	187	if (r) {
	188	ERROR("Could not set PR_SET_KEEPCAPS: %m\n");
	189	return 1;
	190	}
	191
	192	// Change to the new user
	193	r = setresuid(uid, uid, uid);
	194	if (r) {
	195	ERROR("Could not change user to %d: %m\n", uid);
	196	return 1;
	197	}
	198
	199	// Reset PR_SET_KEEPCAPS
	200	r = prctl(PR_SET_KEEPCAPS, 0);
	201	if (r) {
	202	ERROR("Could not set PR_SET_KEEPCAPS: %m\n");
	203	return 1;
	204	}
	205
dabf344d MT	206	// Drop capabilities
	207	r = drop_capabilities();
	208	if (r)
	209	return r;
	210
eb3f6449 MT	211	return 0;
eb3f6449 MT	212	}
112358f3	213
050f4ece	214	int main(int argc, char** argv) {
112358f3 MT	215	struct nw_daemon* daemon = NULL;
	216	int r;
	217
eb3f6449 MT	218	// Drop privileges
	219	r = drop_privileges("network");
	220	if (r)
	221	return r;
26acbb4e	222
112358f3 MT	223	// Create the daemon
	224	r = nw_daemon_create(&daemon);
	225	if (r)
8a88982f	226	return r;
26acbb4e	227
c7e1b5db MT	228	// Run the daemon
c7e1b5db MT	229	r = nw_daemon_run(daemon);
26acbb4e	230
8a88982f	231	// Cleanup
112358f3 MT	232	if (daemon)
	233	nw_daemon_unref(daemon);
	234
8a88982f	235	return r;
050f4ece	236	}