2 * Copyright (C) 2013 Tobias Brunner
3 * Copyright (C) 2012 Martin Willi
5 * Copyright (C) secunet Security Networks AG
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 * @defgroup capabilities capabilities
23 #ifndef CAPABILITIES_H_
24 #define CAPABILITIES_H_
26 typedef struct capabilities_t capabilities_t
;
29 #ifdef HAVE_SYS_CAPABILITY_H
30 # include <sys/capability.h>
31 #elif defined(CAPABILITIES_NATIVE)
32 # include <linux/capability.h>
38 #ifndef CAP_NET_BIND_SERVICE
39 # define CAP_NET_BIND_SERVICE 10
42 # define CAP_NET_ADMIN 12
45 # define CAP_NET_RAW 13
47 #ifndef CAP_DAC_OVERRIDE
48 # define CAP_DAC_OVERRIDE 1
51 # define CAP_SETPCAP 8
55 * POSIX capability dropping abstraction layer.
57 struct capabilities_t
{
60 * Register a capability to keep while calling drop(). Verifies that the
61 * capability is currently held.
63 * @note CAP_CHOWN is handled specially as it might not be required.
65 * @param cap capability to keep
66 * @return FALSE if the capability is currently not held
68 bool (*keep
)(capabilities_t
*this,
69 u_int cap
) __attribute__((warn_unused_result
));
72 * Check if the given capability is currently held.
74 * @note CAP_CHOWN is handled specially as it might not be required.
76 * @param cap capability to check
77 * @return TRUE if the capability is currently held
79 bool (*check
)(capabilities_t
*this, u_int cap
);
82 * Get the user ID set through set_uid/resolve_uid.
84 * @return currently set user ID
86 uid_t (*get_uid
)(capabilities_t
*this);
89 * Get the group ID set through set_gid/resolve_gid.
91 * @return currently set group ID
93 gid_t (*get_gid
)(capabilities_t
*this);
96 * Set the numerical user ID to use during rights dropping.
98 * @param uid user ID to use
100 void (*set_uid
)(capabilities_t
*this, uid_t uid
);
103 * Set the numerical group ID to use during rights dropping.
105 * @param gid group ID to use
107 void (*set_gid
)(capabilities_t
*this, gid_t gid
);
110 * Resolve a username and set the user ID accordingly.
112 * @param username username get the uid for
113 * @return TRUE if username resolved and uid set
115 bool (*resolve_uid
)(capabilities_t
*this, char *username
);
118 * Resolve a groupname and set the group ID accordingly.
120 * @param groupname groupname to get the gid for
121 * @return TRUE if groupname resolved and gid set
123 bool (*resolve_gid
)(capabilities_t
*this, char *groupname
);
126 * Drop all capabilities not previously passed to keep(), switch to UID/GID.
128 * @return TRUE if capability drop successful
130 bool (*drop
)(capabilities_t
*this);
133 * Destroy a capabilities_t.
135 void (*destroy
)(capabilities_t
*this);
139 * Create a capabilities instance.
141 capabilities_t
*capabilities_create();
143 #endif /** CAPABILITIES_H_ @}*/