1 // $Id: reducecap.c,v 1.1.4.4 2004/03/05 04:59:36 ensc Exp $
3 // Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
4 // based on reducecap.cc by Jacques Gelinas
6 // This program is free software; you can redistribute it and/or modify
7 // it under the terms of the GNU General Public License as published by
8 // the Free Software Foundation; either version 2, or (at your option)
11 // This program is distributed in the hope that it will be useful,
12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 // GNU General Public License for more details.
16 // You should have received a copy of the GNU General Public License
17 // along with this program; if not, write to the Free Software
18 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include "linuxcaps.h"
36 # define CAP_QUOTACTL 29
39 extern int capget (struct __user_cap_header_struct *, struct __user_cap_data_struct *);
40 extern int capset (struct __user_cap_header_struct *, struct __user_cap_data_struct *);
44 fprintf (stderr,"reducecap version %s\n",VERSION);
45 fprintf (stderr,"reducecap [ options ] command argument\n");
49 static void reducecap_print(struct __user_cap_data_struct *user)
51 static const char *tb[]={
54 "CAP_DAC_READ_SEARCH",
61 "CAP_LINUX_IMMUTABLE",
62 "CAP_NET_BIND_SERVICE",
85 printf ("%22s %9s %9s %9s\n","Capability","Effective","Permitted"
87 for (i=0; tb[i] != NULL; i++){
89 printf ("%22s %9s %9s %9s\n"
91 ,(user->effective & bit) ? "X " : " "
92 ,(user->permitted & bit) ? "X " : " "
93 ,(user->inheritable & bit) ? "X " : " ");
97 static void reducecap_show()
99 struct __user_cap_header_struct header;
100 struct __user_cap_data_struct user;
101 header.version = _LINUX_CAPABILITY_VERSION;
102 header.pid = getpid();
103 if (capget(&header,&user)==-1){
106 reducecap_print (&user);
112 int main (int argc, char *argv[])
115 unsigned long remove = 0;
118 unsigned long secure = (1<<CAP_LINUX_IMMUTABLE)
119 |(1<<CAP_NET_BROADCAST)
130 |(1<<CAP_SYS_RESOURCE)
135 for (i=1; i<argc; i++){
136 const char *arg = argv[i];
137 const char *opt = argv[i+1];
138 if (strcmp(arg,"--secure")==0){
140 }else if (strcmp(arg,"--show")==0){
142 }else if (strcmp(arg,"--flag")==0){
143 if (strcmp(opt,"lock")==0){
145 }else if (strcmp(opt,"sched")==0){
147 }else if (strcmp(opt,"nproc")==0){
149 }else if (strcmp(opt,"private")==0){
151 }else if (strcmp(opt,"hideinfo")==0){
154 fprintf (stderr,"Unknown flag %s\n",opt);
157 }else if (arg[0] == '-' && arg[1] == '-'){
162 // The following capabilities are normally available
163 // to vservers administrator, but are place for
166 {"DAC_OVERRIDE",CAP_DAC_OVERRIDE},
167 {"DAC_READ_SEARCH",CAP_DAC_READ_SEARCH},
168 {"FOWNER",CAP_FOWNER},
169 {"FSETID",CAP_FSETID},
171 {"SETGID",CAP_SETGID},
172 {"SETUID",CAP_SETUID},
173 {"SETPCAP",CAP_SETPCAP},
174 {"SYS_TTY_CONFIG",CAP_SYS_TTY_CONFIG},
176 {"SYS_CHROOT",CAP_SYS_CHROOT},
178 // Those capabilities are not normally available
179 // to vservers because they are not needed and
180 // may represent a security risk
181 {"LINUX_IMMUTABLE",CAP_LINUX_IMMUTABLE},
182 {"NET_BIND_SERVICE",CAP_NET_BIND_SERVICE},
183 {"NET_BROADCAST",CAP_NET_BROADCAST},
184 {"NET_ADMIN", CAP_NET_ADMIN},
185 {"NET_RAW", CAP_NET_RAW},
186 {"IPC_LOCK", CAP_IPC_LOCK},
187 {"IPC_OWNER", CAP_IPC_OWNER},
188 {"SYS_MODULE",CAP_SYS_MODULE},
189 {"SYS_RAWIO", CAP_SYS_RAWIO},
190 {"SYS_PACCT", CAP_SYS_PACCT},
191 {"SYS_ADMIN", CAP_SYS_ADMIN},
192 {"SYS_BOOT", CAP_SYS_BOOT},
193 {"SYS_NICE", CAP_SYS_NICE},
194 {"SYS_RESOURCE",CAP_SYS_RESOURCE},
195 {"SYS_TIME", CAP_SYS_TIME},
196 {"MKNOD", CAP_MKNOD},
197 {"QUOTACTL", CAP_QUOTACTL},
206 if (strncasecmp(arg, "CAP_", 4)==0) arg += 4;
207 for (j=0; tbcap[j].option != NULL; j++){
208 if (strcasecmp(tbcap[j].option,arg)==0){
209 remove |= (1<<tbcap[j].bit);
213 if (tbcap[j].option == NULL){
227 struct __user_cap_header_struct header;
228 struct __user_cap_data_struct user;
229 header.version = _LINUX_CAPABILITY_VERSION;
231 if (capget(&header,&user)==-1){
235 reducecap_print (&user);
237 if (vc_new_s_context(-2,remove,flags)==-1){
238 perror ("new_s_context -2");
240 fprintf (stderr,"Executing\n");
241 execvp (argv[i],argv+i);
242 fprintf (stderr,"Can't execute command %s\n",argv[i]);