From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Tue, 26 Nov 2019 11:37:45 +0000 (+0100)
Subject: daemon/main: add libcap-ng support to drop capabilities
X-Git-Tag: v4.3.0~3^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a40efa5e3ea15d3a467521291bc962293f3bfa64;p=thirdparty%2Fknot-resolver.git

daemon/main: add libcap-ng support to drop capabilities
---

diff --git a/daemon/main.c b/daemon/main.c
index 5501d9821..3a8185502 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -40,6 +40,10 @@
 #include <sys/resource.h>
 #include <unistd.h>
 
+#ifdef ENABLE_CAP_NG
+#include <cap-ng.h>
+#endif
+
 #include <lua.h>
 #include <uv.h>
 #if SYSTEMD_VERSION > 0
@@ -661,6 +665,25 @@ static int start_listening(struct network *net, flagged_fd_array_t *fds) {
 	return some_bad_ret;
 }
 
+/* Drop POSIX 1003.1e capabilities. */
+static void drop_capabilities(void)
+{
+#ifdef ENABLE_CAP_NG
+	/* Drop all capabilities. */
+	if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+		capng_clear(CAPNG_SELECT_BOTH);
+
+		/* Apply. */
+		if (capng_apply(CAPNG_SELECT_BOTH) < 0) {
+			kr_log_error("[system] failed to set process capabilities: %s\n",
+			          strerror(errno));
+		}
+	} else {
+		kr_log_info("[system] process not allowed to set capabilities, skipping\n");
+	}
+#endif /* ENABLE_CAP_NG */
+}
+
 int main(int argc, char **argv)
 {
 	struct args args;
@@ -855,6 +878,7 @@ int main(int argc, char **argv)
 			goto cleanup;
 		}
 	}
+	drop_capabilities();
 	if (engine_start(&engine) != 0) {
 		ret = EXIT_FAILURE;
 		goto cleanup;
diff --git a/daemon/meson.build b/daemon/meson.build
index a7efbb8d7..0f12c9f26 100644
--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -41,6 +41,7 @@ kresd_deps = [
   luajit,
   gnutls,
   libsystemd,
+  capng,
 ]
 
 
diff --git a/meson.build b/meson.build
index 897b2c643..9825580ec 100644
--- a/meson.build
+++ b/meson.build
@@ -30,7 +30,6 @@ luajit = dependency('luajit')
 # NOTE avoid using link_args for luajit due to a macOS issue
 # https://github.com/Homebrew/homebrew-core/issues/37169
 luajit_inc = luajit.partial_dependency(compile_args: true, includes: true)
-openssl = dependency('openssl', required: false)
 message('------------------------------')
 
 
@@ -82,7 +81,12 @@ verbose_log = get_option('verbose_log') == 'enabled' or get_option('verbose_log'
 user = get_option('user')
 group = get_option('group')
 
-## sendmmsg
+## Optional dependencies
+message('--- optional dependencies ---')
+capng = dependency('libcap-ng', required: false)
+openssl = dependency('openssl', required: false)
+
+### sendmmsg
 has_sendmmsg = meson.get_compiler('c').has_function('sendmmsg',
   prefix: '#define _GNU_SOURCE\n#include <sys/socket.h>')
 if get_option('sendmmsg') == 'enabled' and not has_sendmmsg
@@ -93,8 +97,7 @@ else
   sendmmsg = get_option('sendmmsg') == 'enabled'
 endif
 
-## Systemd
-message('--- systemd socket activation ---')
+### Systemd
 libsystemd = dependency('libsystemd', required: false)
 systemd_files = get_option('systemd_files')
 if systemd_files == 'enabled' and (
@@ -148,6 +151,7 @@ conf_data.set('SYSTEMD_VERSION',
   libsystemd.found() ? libsystemd.version().to_int() : -1)
 conf_data.set('NOVERBOSELOG', not verbose_log)
 conf_data.set('ENABLE_SENDMMSG', sendmmsg.to_int())
+conf_data.set('ENABLE_CAP_NG', capng.found())
 
 kresconfig = configure_file(
   output: 'kresconfig.h',