From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 4 Nov 2021 18:31:21 +0000 (-0400)
Subject: Dump capabilities to INFO() at various phases in the process lifecycle
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7817b308089473e205386c866bed5ad21bb4c4e;p=thirdparty%2Ffreeradius-server.git

Dump capabilities to INFO() at various phases in the process lifecycle
---

diff --git a/src/bin/radiusd.c b/src/bin/radiusd.c
index e6917da14b2..fd43782cf04 100644
--- a/src/bin/radiusd.c
+++ b/src/bin/radiusd.c
@@ -46,6 +46,10 @@ RCSID("$Id$")
 #include <freeradius-devel/util/misc.h>
 #include <freeradius-devel/util/syserror.h>
 
+#ifdef HAVE_CAPABILITY_H
+#include <freeradius-devel/util/cap.h
+#endif
+
 #include <ctype.h>
 #include <fcntl.h>
 #include <signal.h>
@@ -190,6 +194,21 @@ static void fr_exit_after(fr_event_list_t *el, fr_time_t now, void *uctx)
 }
 #endif
 
+#ifdef HAVE_CAPABILITIES_H
+#define DUMP_CAPABILITIES(_phase) \
+{ \
+	char *cap_str; \
+	if (fr_cap_set_to_str(autofree, &cap_str) < 0) { \
+		PWARN("Failed retrieving %s capabilities", _phase); \
+	} else { \
+		INFO("%s capabilities: %s", cap_str, _phase); \
+		talloc_free(cap_str); \
+	} \
+}
+#else
+#define DUMP_CAPABILITIES(_phase)
+#endif
+
 /** Entry point for the daemon
  *
  * @hidecallgraph
@@ -650,6 +669,8 @@ int main(int argc, char *argv[])
 		pid_t pid;
 		int devnull;
 
+		DUMP_CAPABILITIES("pre-fork");
+
 		/*
 		 *  Really weird things happen if we leave stdin open and call things like
 		 *  system() later.
@@ -729,6 +750,10 @@ int main(int argc, char *argv[])
 #ifdef HAVE_SETSID
 		setsid();
 #endif
+
+		DUMP_CAPABILITIES("post-fork");
+	} else {
+		DUMP_CAPABILITIES("pre-suid-down");
 	}
 
 	/*
@@ -821,6 +846,8 @@ int main(int argc, char *argv[])
 	 */
 	rad_suid_down_permanent();
 
+	DUMP_CAPABILITIES("post-suid-down");
+
 	/*
 	 *	Dropping down may change the RLIMIT_CORE value, so
 	 *	reset it back to what to should be here.
diff --git a/src/lib/util/cap.c b/src/lib/util/cap.c
index 9e718d12da8..cbfe56fa8c9 100644
--- a/src/lib/util/cap.c
+++ b/src/lib/util/cap.c
@@ -283,4 +283,33 @@ done:
 
 	return ret;
 }
+
+/** Snapshot the processes' current capability set, printing it to a string
+ *
+ * @param[in] ctx	Where to allocate the string.
+ * @param[out] out	The string containing the capabilities.
+ */
+ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out)
+{
+	cap_t caps = NULL;
+	char const *tmp;
+	size_t len;
+
+	caps = cap_get_proc();
+	if (unlikely(!caps)) {
+		fr_strerror_printf("Failed retrieving process capabilities: %s", fr_syserror(errno));
+		return -1;
+	}
+	tmp = cap_to_text(out, &len)
+	cap_free(caps);
+	if (unlikely(!tmp)) {
+		fr_strerror_printf("Failed converting capabilities to string: %s", fr_syserror(errno));
+		return -1;
+	}
+
+	*out = talloc_bstrndup(ctx, tmp, len);
+	free(tmp);
+
+	return ret;
+}
 #endif	/* HAVE_CAPABILITY_H */
diff --git a/src/lib/util/cap.h b/src/lib/util/cap.h
index 8b19362a32f..87bd76842f3 100644
--- a/src/lib/util/cap.h
+++ b/src/lib/util/cap.h
@@ -38,6 +38,8 @@ bool	fr_cap_is_enabled(cap_value_t cap, cap_flag_t set);
 int	fr_cap_enable(cap_value_t cap, cap_flag_t set);
 
 int	fr_cap_disable(cap_value_t cap, cap_flag_t set);
+
+ssize_t fr_cap_set_to_str(TALLOC_CTX *ctx, char **out);
 #endif
 
 #ifdef __cplusplus