daemon/main: add libcap-ng support to drop capabilities

diff --git a/daemon/main.c b/daemon/main.c
index 5501d982117b6acc33383ff5f4bddd3b4c515d1f..3a81855023976d8dec47de123bd341c4bf1c8bcd 100644 (file)
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -40,6 +40,10 @@
 #include <sys/resource.h>
 #include <unistd.h>
 
+#ifdef ENABLE_CAP_NG
+#include <cap-ng.h>
+#endif
+
 #include <lua.h>
 #include <uv.h>
 #if SYSTEMD_VERSION > 0
@@ -661,6 +665,25 @@ static int start_listening(struct network *net, flagged_fd_array_t *fds) {
        return some_bad_ret;
 }
 
+/* Drop POSIX 1003.1e capabilities. */
+static void drop_capabilities(void)
+{
+#ifdef ENABLE_CAP_NG
+       /* Drop all capabilities. */
+       if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+               capng_clear(CAPNG_SELECT_BOTH);
+
+               /* Apply. */
+               if (capng_apply(CAPNG_SELECT_BOTH) < 0) {
+                       kr_log_error("[system] failed to set process capabilities: %s\n",
+                                 strerror(errno));
+               }
+       } else {
+               kr_log_info("[system] process not allowed to set capabilities, skipping\n");
+       }
+#endif /* ENABLE_CAP_NG */
+}
+
 int main(int argc, char **argv)
 {
        struct args args;
@@ -855,6 +878,7 @@ int main(int argc, char **argv)
                        goto cleanup;
                }
        }
+       drop_capabilities();
        if (engine_start(&engine) != 0) {
                ret = EXIT_FAILURE;
                goto cleanup;

diff --git a/daemon/meson.build b/daemon/meson.build
index a7efbb8d72634e21ddfa467e006ccc37c4107caa..0f12c9f260d497704c2f7d07a9cd36106e6f0251 100644 (file)
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -41,6 +41,7 @@ kresd_deps = [
   luajit,
   gnutls,
   libsystemd,
+  capng,
 ]
 
 

diff --git a/meson.build b/meson.build
index 897b2c64362ec2027f3e724cacc1070ee0fc22a5..9825580eca3a31707b5bac8d11b1055b44262887 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -30,7 +30,6 @@ luajit = dependency('luajit')
 # NOTE avoid using link_args for luajit due to a macOS issue
 # https://github.com/Homebrew/homebrew-core/issues/37169
 luajit_inc = luajit.partial_dependency(compile_args: true, includes: true)
-openssl = dependency('openssl', required: false)
 message('------------------------------')
 
 
@@ -82,7 +81,12 @@ verbose_log = get_option('verbose_log') == 'enabled' or get_option('verbose_log'
 user = get_option('user')
 group = get_option('group')
 
-## sendmmsg
+## Optional dependencies
+message('--- optional dependencies ---')
+capng = dependency('libcap-ng', required: false)
+openssl = dependency('openssl', required: false)
+
+### sendmmsg
 has_sendmmsg = meson.get_compiler('c').has_function('sendmmsg',
   prefix: '#define _GNU_SOURCE\n#include <sys/socket.h>')
 if get_option('sendmmsg') == 'enabled' and not has_sendmmsg
@@ -93,8 +97,7 @@ else
   sendmmsg = get_option('sendmmsg') == 'enabled'
 endif
 
-## Systemd
-message('--- systemd socket activation ---')
+### Systemd
 libsystemd = dependency('libsystemd', required: false)
 systemd_files = get_option('systemd_files')
 if systemd_files == 'enabled' and (
@@ -148,6 +151,7 @@ conf_data.set('SYSTEMD_VERSION',
   libsystemd.found() ? libsystemd.version().to_int() : -1)
 conf_data.set('NOVERBOSELOG', not verbose_log)
 conf_data.set('ENABLE_SENDMMSG', sendmmsg.to_int())
+conf_data.set('ENABLE_CAP_NG', capng.found())
 
 kresconfig = configure_file(
   output: 'kresconfig.h',