Use the raw capability interface via updated ncmlib rather than linking
to libcap.
This commit is contained in:
Nicholas J. Kain
@@ -2,8 +2,8 @@ project (ndhc)
|
|||||||
|
|
||||||
cmake_minimum_required (VERSION 2.6)
|
cmake_minimum_required (VERSION 2.6)
|
||||||
|
|
||||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
|
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
|
||||||
set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
|
set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
|
||||||
|
|
||||||
if (WIN32)
|
if (WIN32)
|
||||||
set(OSNAME "Win32")
|
set(OSNAME "Win32")
|
||||||
|
|||||||
2
Makefile
2
Makefile
@@ -36,7 +36,7 @@ ncmlib.a: $(NCM_OBJS)
|
|||||||
$(RANLIB) $(BUILD_DIR)/$@
|
$(RANLIB) $(BUILD_DIR)/$@
|
||||||
|
|
||||||
ndhc: $(NDHC_OBJS) ifchd-parse.o
|
ndhc: $(NDHC_OBJS) ifchd-parse.o
|
||||||
$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o -lcap -lrt
|
$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o
|
||||||
|
|
||||||
.PHONY: all clean
|
.PHONY: all clean
|
||||||
|
|
||||||
|
|||||||
@@ -399,7 +399,8 @@ void ifch_main(void)
|
|||||||
|
|
||||||
nk_set_chroot(chroot_dir);
|
nk_set_chroot(chroot_dir);
|
||||||
memset(chroot_dir, '\0', sizeof chroot_dir);
|
memset(chroot_dir, '\0', sizeof chroot_dir);
|
||||||
nk_set_uidgid(ifch_uid, ifch_gid, "cap_net_admin=ep");
|
unsigned char keepcaps[] = { CAP_NET_ADMIN };
|
||||||
|
nk_set_uidgid(ifch_uid, ifch_gid, keepcaps, sizeof keepcaps);
|
||||||
|
|
||||||
do_ifch_work();
|
do_ifch_work();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -408,7 +408,7 @@ static void ndhc_main(void) {
|
|||||||
|
|
||||||
nk_set_chroot(chroot_dir);
|
nk_set_chroot(chroot_dir);
|
||||||
memset(chroot_dir, '\0', sizeof chroot_dir);
|
memset(chroot_dir, '\0', sizeof chroot_dir);
|
||||||
nk_set_uidgid(ndhc_uid, ndhc_gid, NULL);
|
nk_set_uidgid(ndhc_uid, ndhc_gid, NULL, 0);
|
||||||
|
|
||||||
if (cs.ifsPrevState != IFS_UP)
|
if (cs.ifsPrevState != IFS_UP)
|
||||||
ifchange_deconfig(&cs);
|
ifchange_deconfig(&cs);
|
||||||
|
|||||||
@@ -623,8 +623,9 @@ void sockd_main(void)
|
|||||||
setup_signals_sockd();
|
setup_signals_sockd();
|
||||||
nk_set_chroot(chroot_dir);
|
nk_set_chroot(chroot_dir);
|
||||||
memset(chroot_dir, 0, sizeof chroot_dir);
|
memset(chroot_dir, 0, sizeof chroot_dir);
|
||||||
nk_set_uidgid(sockd_uid, sockd_gid,
|
unsigned char keepcaps[] = { CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST,
|
||||||
"cap_net_bind_service,cap_net_broadcast,cap_net_raw=ep");
|
CAP_NET_RAW };
|
||||||
|
nk_set_uidgid(sockd_uid, sockd_gid, keepcaps, sizeof keepcaps);
|
||||||
do_sockd_work();
|
do_sockd_work();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user