From: Remi Gacogne Date: Thu, 28 Oct 2021 14:12:52 +0000 (+0200) Subject: dnsdist: Add the ability to retain select capabilities at runtime X-Git-Tag: rec-4.6.0-beta1~16^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F10923%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Add the ability to retain select capabilities at runtime --- diff --git a/pdns/dnsdist-console.cc b/pdns/dnsdist-console.cc index 68ea689e75..44e33cc027 100644 --- a/pdns/dnsdist-console.cc +++ b/pdns/dnsdist-console.cc @@ -403,6 +403,7 @@ const std::vector g_consoleKeywords{ { "addACL", true, "netmask", "add to the ACL set who can use this server" }, { "addAction", true, "DNS rule, DNS action [, {uuid=\"UUID\", name=\"name\"}]", "add a rule" }, { "addBPFFilterDynBlocks", true, "addresses, dynbpf[[, seconds=10], msg]", "This is the eBPF equivalent of addDynBlocks(), blocking a set of addresses for (optionally) a number of seconds, using an eBPF dynamic filter" }, + { "addCapabilitiesToRetain", true, "capability or list of capabilities", "Linux capabilities to retain after startup, like CAP_BPF" }, { "addConsoleACL", true, "netmask", "add a netmask to the console ACL" }, { "addDNSCryptBind", true, "\"127.0.0.1:8443\", \"provider name\", \"/path/to/resolver.cert\", \"/path/to/resolver.key\", {reusePort=false, tcpFastOpenQueueSize=0, interface=\"\", cpus={}}", "listen to incoming DNSCrypt queries on 127.0.0.1 port 8443, with a provider name of `provider name`, using a resolver certificate and associated key stored respectively in the `resolver.cert` and `resolver.key` files. The fifth optional parameter is a table of parameters" }, { "addDOHLocal", true, "addr, certFile, keyFile [, urls [, vars]]", "listen to incoming DNS over HTTPS queries on the specified address using the specified certificate and key. The last two parameters are tables" }, diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 27a2eef198..5d795a6d84 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -2764,6 +2764,22 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) libssl_generate_ocsp_response(certFile, caCert, caKey, outFile, ndays, nmin); }); #endif /* HAVE_LIBSSL && HAVE_OCSP_BASIC_SIGN*/ + + luaCtx.writeFunction("addCapabilitiesToRetain", [](boost::variant> caps) { + setLuaSideEffect(); + if (g_configurationDone) { + g_outputBuffer = "addCapabilitiesToRetain cannot be used at runtime!\n"; + return; + } + if (caps.type() == typeid(std::string)) { + g_capabilitiesToRetain.insert(boost::get(caps)); + } + else if (caps.type() == typeid(std::map)) { + for (const auto& cap : boost::get>(caps)) { + g_capabilitiesToRetain.insert(cap.second); + } + } + }); } vector> setupLua(LuaContext& luaCtx, bool client, bool configCheck, const std::string& config) diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 2e3e2a1cee..b2386707f0 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -37,6 +37,15 @@ The ``.`` means ``order`` is a data member, while the ``:`` means ``addPool`` is Global configuration -------------------- +.. function:: addCapabilitiesToRetain(capabilities) + + .. versionadded:: 1.7.0 + + Accept a Linux capability as a string, or a list of these, to retain after startup so that privileged operations can still be performed at runtime. + Keeping ``CAP_BPF`` on kernel 5.8+ for example allows loading eBPF programs and altering eBPF maps at runtime even if the ``kernel.unprivileged_bpf_disabled`` sysctl is set. + Note that this does not grant the capabilities to the process, doing so might be done by running it as root which we don't advise, or by adding capabilities via the systemd unit file, for example. + Please also be aware that switching to a different user via ``--uid`` will still drop all capabilities. + .. function:: includeDirectory(path) Include configuration files from ``path``.