emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use the raw capability interface via updated ncmlib rather than linking

Browse Source 
to libcap.
This commit is contained in:
Nicholas J. Kain 2014-04-07 15:05:34 -04:00
parent bb1ff7a506
commit d267c2c44b
5 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CMakeLists.txt
View File

@ -2,8 +2,8 @@ project (ndhc)
cmake_minimum_required (VERSION 2.6)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
if (WIN32)
set(OSNAME "Win32")

2
Makefile
View File

@ -36,7 +36,7 @@ ncmlib.a: $(NCM_OBJS)
$(RANLIB) $(BUILD_DIR)/$@
ndhc: $(NDHC_OBJS) ifchd-parse.o
$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o -lcap -lrt
$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o
.PHONY: all clean

3
src/ifchd.c
View File

@ -399,7 +399,8 @@ void ifch_main(void)
nk_set_chroot(chroot_dir);
memset(chroot_dir, '\0', sizeof chroot_dir);
nk_set_uidgid(ifch_uid, ifch_gid, "cap_net_admin=ep");
unsigned char keepcaps[] = { CAP_NET_ADMIN };
nk_set_uidgid(ifch_uid, ifch_gid, keepcaps, sizeof keepcaps);
do_ifch_work();
}

2
src/ndhc.c
View File

@ -408,7 +408,7 @@ static void ndhc_main(void) {
nk_set_chroot(chroot_dir);
memset(chroot_dir, '\0', sizeof chroot_dir);
nk_set_uidgid(ndhc_uid, ndhc_gid, NULL);
nk_set_uidgid(ndhc_uid, ndhc_gid, NULL, 0);
if (cs.ifsPrevState != IFS_UP)
ifchange_deconfig(&cs);

5
src/sockd.c
View File

@ -623,8 +623,9 @@ void sockd_main(void)
setup_signals_sockd();
nk_set_chroot(chroot_dir);
memset(chroot_dir, 0, sizeof chroot_dir);
nk_set_uidgid(sockd_uid, sockd_gid,
"cap_net_bind_service,cap_net_broadcast,cap_net_raw=ep");
unsigned char keepcaps[] = { CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST,
CAP_NET_RAW };
nk_set_uidgid(sockd_uid, sockd_gid, keepcaps, sizeof keepcaps);
do_sockd_work();
}