From: Valentine Krasnobaeva Date: Sun, 14 Jul 2024 13:20:02 +0000 (+0200) Subject: MINOR: debug: keep runtime capabilities in post_mortem X-Git-Tag: v3.1-dev4~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93cc7df2761c75c866c5b3eec0da06375227bd91;p=thirdparty%2Fhaproxy.git MINOR: debug: keep runtime capabilities in post_mortem Let's extend postmortem to keep process runtime capabilities. This information is gathered in feed_post_mortem_late(), as it is called just before run_poll_loop() and we are sure at this moment, that all configuration settings were successfully applied. --- diff --git a/src/debug.c b/src/debug.c index d110a12ec5..4526d60402 100644 --- a/src/debug.c +++ b/src/debug.c @@ -122,7 +122,10 @@ struct post_mortem { struct { // initial process capabilities struct __user_cap_data_struct boot[_LINUX_CAPABILITY_U32S_3]; - int err; // errno, if capget() syscall fails + int err_boot; // errno, if capget() syscall fails at boot + // runtime process capabilities + struct __user_cap_data_struct run[_LINUX_CAPABILITY_U32S_3]; + int err_run; // errno, if capget() syscall fails at runtime } caps; #endif struct rlimit limit_fd; // RLIMIT_NOFILE @@ -509,10 +512,6 @@ static int debug_parse_cli_show_libs(char **args, char *payload, struct appctx * /* parse a "show dev" command. It returns 1 if it emits anything otherwise zero. */ static int debug_parse_cli_show_dev(char **args, char *payload, struct appctx *appctx, void *private) { -#if defined(USE_LINUX_CAP) - /* to dump runtime process capabilities */ - struct __user_cap_data_struct runtime_caps[_LINUX_CAPABILITY_U32S_3] = { }; -#endif const char **build_opt; int i; @@ -575,7 +574,7 @@ static int debug_parse_cli_show_dev(char **args, char *payload, struct appctx *a #if defined(USE_LINUX_CAP) /* let's dump saved in feed_post_mortem() initial capabilities sets */ - if(!post_mortem.process.caps.err) { + if(!post_mortem.process.caps.err_boot) { chunk_appendf(&trash, " boot capabilities:\n"); chunk_appendf(&trash, " \tCapEff: 0x%016llx\n", CAPS_TO_ULLONG(post_mortem.process.caps.boot[0].effective, @@ -588,23 +587,23 @@ static int debug_parse_cli_show_dev(char **args, char *payload, struct appctx *a post_mortem.process.caps.boot[1].inheritable)); } else chunk_appendf(&trash, " capget() failed at boot with: %s.\n", - strerror(post_mortem.process.caps.err)); + strerror(post_mortem.process.caps.err_boot)); /* let's print actual capabilities sets, could be useful in order to compare */ - if (capget(&cap_hdr_haproxy, runtime_caps) == 0) { + if (!post_mortem.process.caps.err_run) { chunk_appendf(&trash, " runtime capabilities:\n"); chunk_appendf(&trash, " \tCapEff: 0x%016llx\n", - CAPS_TO_ULLONG(runtime_caps[0].effective, - runtime_caps[1].effective)); + CAPS_TO_ULLONG(post_mortem.process.caps.run[0].effective, + post_mortem.process.caps.run[1].effective)); chunk_appendf(&trash, " \tCapPrm: 0x%016llx\n", - CAPS_TO_ULLONG(runtime_caps[0].permitted, - runtime_caps[1].permitted)); + CAPS_TO_ULLONG(post_mortem.process.caps.run[0].permitted, + post_mortem.process.caps.run[1].permitted)); chunk_appendf(&trash, " \tCapInh: 0x%016llx\n", - CAPS_TO_ULLONG(runtime_caps[0].inheritable, - runtime_caps[1].inheritable)); + CAPS_TO_ULLONG(post_mortem.process.caps.run[0].inheritable, + post_mortem.process.caps.run[1].inheritable)); } else chunk_appendf(&trash, " capget() failed at runtime with: %s.\n", - strerror(errno)); + strerror(post_mortem.process.caps.err_run)); #endif if ((ulong)post_mortem.process.limit_fd.rlim_cur != RLIM_INFINITY) chunk_appendf(&trash, " fd limit (soft): %lu\n", (ulong)post_mortem.process.limit_fd.rlim_cur); @@ -2343,7 +2342,7 @@ static int feed_post_mortem() #if defined(USE_LINUX_CAP) if (capget(&cap_hdr_haproxy, post_mortem.process.caps.boot) == -1) - post_mortem.process.caps.err = errno; + post_mortem.process.caps.err_boot = errno; #endif getrlimit(RLIMIT_NOFILE, &post_mortem.process.limit_fd); getrlimit(RLIMIT_DATA, &post_mortem.process.limit_ram); @@ -2437,6 +2436,11 @@ static int feed_post_mortem_late() */ post_mortem.process.run_uid = geteuid(); post_mortem.process.run_gid = getegid(); +#if defined(USE_LINUX_CAP) + if (capget(&cap_hdr_haproxy, post_mortem.process.caps.run) == -1) { + post_mortem.process.caps.err_run = errno; + } +#endif return 1; }