Dump capabilities to INFO() at various phases in the process lifecycle

diff --git a/src/bin/radiusd.c b/src/bin/radiusd.c
index e6917da14b25b91c01d0b7cf19d3e28872abd50b..fd43782cf04d7b0f204428e58cd80b29b358c624 100644 (file)
--- a/src/bin/radiusd.c
+++ b/src/bin/radiusd.c
@@ -46,6 +46,10 @@ RCSID("$Id$")
 #include <freeradius-devel/util/misc.h>
 #include <freeradius-devel/util/syserror.h>
 
+#ifdef HAVE_CAPABILITY_H
+#include <freeradius-devel/util/cap.h
+#endif
+
 #include <ctype.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -190,6 +194,21 @@ static void fr_exit_after(fr_event_list_t *el, fr_time_t now, void *uctx)
 }
 #endif
 
+#ifdef HAVE_CAPABILITIES_H
+#define DUMP_CAPABILITIES(_phase) \
+{ \
+       char *cap_str; \
+       if (fr_cap_set_to_str(autofree, &cap_str) < 0) { \
+               PWARN("Failed retrieving %s capabilities", _phase); \
+       } else { \
+               INFO("%s capabilities: %s", cap_str, _phase); \
+               talloc_free(cap_str); \
+       } \
+}
+#else
+#define DUMP_CAPABILITIES(_phase)
+#endif
+
 /** Entry point for the daemon
  *
  * @hidecallgraph
@@ -650,6 +669,8 @@ int main(int argc, char *argv[])
                pid_t pid;
                int devnull;
 
+               DUMP_CAPABILITIES("pre-fork");
+
                /*
                 *  Really weird things happen if we leave stdin open and call things like
                 *  system() later.
@@ -729,6 +750,10 @@ int main(int argc, char *argv[])
 #ifdef HAVE_SETSID
                setsid();
 #endif
+
+               DUMP_CAPABILITIES("post-fork");
+       } else {
+               DUMP_CAPABILITIES("pre-suid-down");
        }
 
        /*
@@ -821,6 +846,8 @@ int main(int argc, char *argv[])
         */
        rad_suid_down_permanent();
 
+       DUMP_CAPABILITIES("post-suid-down");
+
        /*
         *      Dropping down may change the RLIMIT_CORE value, so
         *      reset it back to what to should be here.

diff --git a/src/lib/util/cap.c b/src/lib/util/cap.c
index 9e718d12da85ccc981a211b13202ad6e43df3475..cbfe56fa8c939f9d230b17104a1dc696f9452bb6 100644 (file)
--- a/src/lib/util/cap.c
+++ b/src/lib/util/cap.c
@@ -283,4 +283,33 @@ done:
 
        return ret;
 }
+
+/** Snapshot the processes' current capability set, printing it to a string
+ *
+ * @param[in] ctx      Where to allocate the string.
+ * @param[out] out     The string containing the capabilities.
+ */
+ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out)
+{
+       cap_t caps = NULL;
+       char const *tmp;
+       size_t len;
+
+       caps = cap_get_proc();
+       if (unlikely(!caps)) {
+               fr_strerror_printf("Failed retrieving process capabilities: %s", fr_syserror(errno));
+               return -1;
+       }
+       tmp = cap_to_text(out, &len)
+       cap_free(caps);
+       if (unlikely(!tmp)) {
+               fr_strerror_printf("Failed converting capabilities to string: %s", fr_syserror(errno));
+               return -1;
+       }
+
+       *out = talloc_bstrndup(ctx, tmp, len);
+       free(tmp);
+
+       return ret;
+}
 #endif /* HAVE_CAPABILITY_H */

diff --git a/src/lib/util/cap.h b/src/lib/util/cap.h
index 8b19362a32f30fae63bd9f232c7d5bc9f33f8314..87bd76842f30b8bfa6f73ee24a8487386c2d8e55 100644 (file)
--- a/src/lib/util/cap.h
+++ b/src/lib/util/cap.h
@@ -38,6 +38,8 @@ bool  fr_cap_is_enabled(cap_value_t cap, cap_flag_t set);
 int    fr_cap_enable(cap_value_t cap, cap_flag_t set);
 
 int    fr_cap_disable(cap_value_t cap, cap_flag_t set);
+
+ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out);
 #endif
 
 #ifdef __cplusplus