pdns/capabilities.cc

   1 /*
   2  * This file is part of PowerDNS or dnsdist.
   3  * Copyright -- PowerDNS.COM B.V. and its contributors
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of version 2 of the GNU General Public License as
   7  * published by the Free Software Foundation.
   8  *
   9  * In addition, for the avoidance of any doubt, permission is granted to
  10  * link this program with OpenSSL and to (re)distribute the binaries
  11  * produced as the result of such linking.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22
  23 #include "config.h"
  24
  25 #include <cstring>
  26 #include <stdexcept>
  27
  28 #ifdef HAVE_LIBCAP
  29 #include <sys/capability.h>
  30 #endif
  31
  32 #include "capabilities.hh"
  33 #include "misc.hh"
  34
  35 void dropCapabilities(std::set<std::string> capabilitiesToKeep)
  36 {
  37 #ifdef HAVE_LIBCAP
  38    cap_t caps = cap_get_proc();
  39    if (caps != nullptr) {
  40      cap_clear(caps);
  41
  42      if (!capabilitiesToKeep.empty()) {
  43        std::vector<cap_value_t> toKeep;
  44        toKeep.reserve(capabilitiesToKeep.size());
  45
  46        for (const auto& capToKeep : capabilitiesToKeep) {
  47          cap_value_t value;
  48          int res = cap_from_name(capToKeep.c_str(), &value);
  49          if (res != 0) {
  50            cap_free(caps);
  51            throw std::runtime_error("Unable to convert capability name '" + capToKeep + "': " + stringerror());
  52          }
  53          toKeep.push_back(value);
  54        }
  55
  56        if (cap_set_flag(caps, CAP_EFFECTIVE, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
  57          cap_free(caps);
  58          throw std::runtime_error("Unable to set effective flag capabilities: " + stringerror());
  59        }
  60
  61        if (cap_set_flag(caps, CAP_PERMITTED, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
  62          cap_free(caps);
  63          throw std::runtime_error("Unable to set permitted flag capabilities: " + stringerror());
  64        }
  65      }
  66
  67      if (cap_set_proc(caps) != 0) {
  68        cap_free(caps);
  69        throw std::runtime_error("Unable to drop capabilities: " + stringerror());
  70      }
  71
  72      cap_free(caps);
  73    }
  74 #endif /* HAVE_LIBCAP */
  75 }