src/libstrongswan/utils/capabilities.h

   1 /*
   2  * Copyright (C) 2013 Tobias Brunner
   3  * Copyright (C) 2012 Martin Willi
   4  *
   5  * Copyright (C) secunet Security Networks AG
   6  *
   7  * This program is free software; you can redistribute it and/or modify it
   8  * under the terms of the GNU General Public License as published by the
   9  * Free Software Foundation; either version 2 of the License, or (at your
  10  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  11  *
  12  * This program is distributed in the hope that it will be useful, but
  13  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  14  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  15  * for more details.
  16  */
  17
  18 /**
  19  * @defgroup capabilities capabilities
  20  * @{ @ingroup utils
  21  */
  22
  23 #ifndef CAPABILITIES_H_
  24 #define CAPABILITIES_H_
  25
  26 typedef struct capabilities_t capabilities_t;
  27
  28 #include <library.h>
  29 #ifdef HAVE_SYS_CAPABILITY_H
  30 # include <sys/capability.h>
  31 #elif defined(CAPABILITIES_NATIVE)
  32 # include <linux/capability.h>
  33 #endif
  34
  35 #ifndef CAP_CHOWN
  36 # define CAP_CHOWN 0
  37 #endif
  38 #ifndef CAP_NET_BIND_SERVICE
  39 # define CAP_NET_BIND_SERVICE 10
  40 #endif
  41 #ifndef CAP_NET_ADMIN
  42 # define CAP_NET_ADMIN 12
  43 #endif
  44 #ifndef CAP_NET_RAW
  45 # define CAP_NET_RAW 13
  46 #endif
  47 #ifndef CAP_DAC_OVERRIDE
  48 # define CAP_DAC_OVERRIDE 1
  49 #endif
  50 #ifndef CAP_SETPCAP
  51 # define CAP_SETPCAP 8
  52 #endif
  53
  54 /**
  55  * POSIX capability dropping abstraction layer.
  56  */
  57 struct capabilities_t {
  58
  59         /**
  60          * Register a capability to keep while calling drop(). Verifies that the
  61          * capability is currently held.
  62          *
  63          * @note CAP_CHOWN is handled specially as it might not be required.
  64          *
  65          * @param cap           capability to keep
  66          * @return                      FALSE if the capability is currently not held
  67          */
  68         bool (*keep)(capabilities_t *this,
  69                                  u_int cap) __attribute__((warn_unused_result));
  70
  71         /**
  72          * Check if the given capability is currently held.
  73          *
  74          * @note CAP_CHOWN is handled specially as it might not be required.
  75          *
  76          * @param cap           capability to check
  77          * @return                      TRUE if the capability is currently held
  78          */
  79         bool (*check)(capabilities_t *this, u_int cap);
  80
  81         /**
  82          * Get the user ID set through set_uid/resolve_uid.
  83          *
  84          * @return                      currently set user ID
  85          */
  86         uid_t (*get_uid)(capabilities_t *this);
  87
  88         /**
  89          * Get the group ID set through set_gid/resolve_gid.
  90          *
  91          * @return                      currently set group ID
  92          */
  93         gid_t (*get_gid)(capabilities_t *this);
  94
  95         /**
  96          * Set the numerical user ID to use during rights dropping.
  97          *
  98          * @param uid           user ID to use
  99          */
 100         void (*set_uid)(capabilities_t *this, uid_t uid);
 101
 102         /**
 103          * Set the numerical group ID to use during rights dropping.
 104          *
 105          * @param gid           group ID to use
 106          */
 107         void (*set_gid)(capabilities_t *this, gid_t gid);
 108
 109         /**
 110          * Resolve a username and set the user ID accordingly.
 111          *
 112          * @param username      username get the uid for
 113          * @return                      TRUE if username resolved and uid set
 114          */
 115         bool (*resolve_uid)(capabilities_t *this, char *username);
 116
 117         /**
 118          * Resolve a groupname and set the group ID accordingly.
 119          *
 120          * @param groupname     groupname to get the gid for
 121          * @return                      TRUE if groupname resolved and gid set
 122          */
 123         bool (*resolve_gid)(capabilities_t *this, char *groupname);
 124
 125         /**
 126          * Drop all capabilities not previously passed to keep(), switch to UID/GID.
 127          *
 128          * @return                      TRUE if capability drop successful
 129          */
 130         bool (*drop)(capabilities_t *this);
 131
 132         /**
 133          * Destroy a capabilities_t.
 134          */
 135         void (*destroy)(capabilities_t *this);
 136 };
 137
 138 /**
 139  * Create a capabilities instance.
 140  */
 141 capabilities_t *capabilities_create();
 142
 143 #endif /** CAPABILITIES_H_ @}*/