src/reducecap.c

   1 // $Id: reducecap.c,v 1.1.4.2 2003/10/30 00:36:39 ensc Exp $
   2
   3 // Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
   4 // based on reducecap.cc by Jacques Gelinas
   5 //
   6 // This program is free software; you can redistribute it and/or modify
   7 // it under the terms of the GNU General Public License as published by
   8 // the Free Software Foundation; either version 2, or (at your option)
   9 // any later version.
  10 //
  11 // This program is distributed in the hope that it will be useful,
  12 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 // GNU General Public License for more details.
  15 //
  16 // You should have received a copy of the GNU General Public License
  17 // along with this program; if not, write to the Free Software
  18 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  19
  20 #ifdef HAVE_CONFIG_H
  21 #  include <config.h>
  22 #endif
  23 #include "compat.h"
  24
  25 #include <stdio.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdlib.h>
  29 #include <string.h>
  30
  31 #include "linuxcaps.h"
  32 #include "vserver.h"
  33
  34 #ifndef CAP_QUOTACTL
  35 #  define CAP_QUOTACTL  29
  36 #endif
  37
  38 extern int capget (struct __user_cap_header_struct *, struct __user_cap_data_struct *);
  39 extern int capset (struct __user_cap_header_struct *, struct __user_cap_data_struct *);
  40
  41 static void usage()
  42 {
  43         fprintf (stderr,"reducecap version %s\n",VERSION);
  44         fprintf (stderr,"reducecap [ options ] command argument\n");
  45         exit (-1);
  46 }
  47
  48 static void reducecap_print(struct __user_cap_data_struct *user)
  49 {
  50         static const char *tb[]={
  51                 "CAP_CHOWN",
  52                 "CAP_DAC_OVERRIDE",
  53                 "CAP_DAC_READ_SEARCH",
  54                 "CAP_FOWNER",
  55                 "CAP_FSETID",
  56                 "CAP_KILL",
  57                 "CAP_SETGID",
  58                 "CAP_SETUID",
  59                 "CAP_SETPCAP",
  60                 "CAP_LINUX_IMMUTABLE",
  61                 "CAP_NET_BIND_SERVICE",
  62                 "CAP_NET_BROADCAST",
  63                 "CAP_NET_ADMIN",
  64                 "CAP_NET_RAW",
  65                 "CAP_IPC_LOCK",
  66                 "CAP_IPC_OWNER",
  67                 "CAP_SYS_MODULE",
  68                 "CAP_SYS_RAWIO",
  69                 "CAP_SYS_CHROOT",
  70                 "CAP_SYS_PTRACE",
  71                 "CAP_SYS_PACCT",
  72                 "CAP_SYS_ADMIN",
  73                 "CAP_SYS_BOOT",
  74                 "CAP_SYS_NICE",
  75                 "CAP_SYS_RESOURCE",
  76                 "CAP_SYS_TIME",
  77                 "CAP_SYS_TTY_CONFIG",
  78                 "CAP_MKNOD",
  79                 "CAP_LEASE",
  80                 "CAP_QUOTACTL",
  81                 NULL
  82         };
  83         int i;
  84         printf ("%22s %9s %9s %9s\n","Capability","Effective","Permitted"
  85                 ,"Inheritable");
  86         for (i=0; tb[i] != NULL; i++){
  87                 int bit = (1 << i);
  88                 printf ("%22s %9s %9s %9s\n"
  89                         ,tb[i]
  90                         ,(user->effective & bit) ? "X    " : " "
  91                         ,(user->permitted & bit) ? "X    " : " "
  92                         ,(user->inheritable & bit) ? "X    " : " ");
  93         }
  94 }
  95
  96 static void reducecap_show()
  97 {
  98         struct __user_cap_header_struct header;
  99         struct __user_cap_data_struct user;
 100         header.version = _LINUX_CAPABILITY_VERSION;
 101         header.pid = getpid();
 102         if (capget(&header,&user)==-1){
 103                 perror ("capget");
 104         }else{
 105                 reducecap_print (&user);
 106         }
 107 }
 108
 109
 110
 111 int main (int argc, char *argv[])
 112 {
 113         int ret = -1;
 114         unsigned long remove = 0;
 115         int show = 0;
 116         int flags = 0;
 117         unsigned long secure = (1<<CAP_LINUX_IMMUTABLE)
 118                 |(1<<CAP_NET_BROADCAST)
 119                 |(1<<CAP_NET_ADMIN)
 120                 |(1<<CAP_NET_RAW)
 121                 |(1<<CAP_IPC_LOCK)
 122                 |(1<<CAP_IPC_OWNER)
 123                 |(1<<CAP_SYS_MODULE)
 124                 |(1<<CAP_SYS_RAWIO)
 125                 |(1<<CAP_SYS_PACCT)
 126                 |(1<<CAP_SYS_ADMIN)
 127                 |(1<<CAP_SYS_BOOT)
 128                 |(1<<CAP_SYS_NICE)
 129                 |(1<<CAP_SYS_RESOURCE)
 130                 |(1<<CAP_SYS_TIME)
 131                 |(1<<CAP_MKNOD)
 132                 |(1<<CAP_QUOTACTL);
 133         int i;
 134         for (i=1; i<argc; i++){
 135                 const char *arg = argv[i];
 136                 const char *opt = argv[i+1];
 137                 if (strcmp(arg,"--secure")==0){
 138                         remove = secure;
 139                 }else if (strcmp(arg,"--show")==0){
 140                         show = 1;
 141                 }else if (strcmp(arg,"--flag")==0){
 142                         if (strcmp(opt,"lock")==0){
 143                                 flags |= 1;
 144                         }else if (strcmp(opt,"sched")==0){
 145                                 flags |= 2;
 146                         }else if (strcmp(opt,"nproc")==0){
 147                                 flags |= 4;
 148                         }else if (strcmp(opt,"private")==0){
 149                                 flags |= 8;
 150                         }else if (strcmp(opt,"hideinfo")==0){
 151                                 flags |= 32;
 152                         }else{
 153                                 fprintf (stderr,"Unknown flag %s\n",opt);
 154                         }
 155                         i++;
 156                 }else if (arg[0] == '-' && arg[1] == '-'){
 157                         static struct {
 158                                 const char *option;
 159                                 int bit;
 160                         }tbcap[]={
 161                                 // The following capabilities are normally available
 162                                 // to vservers administrator, but are place for
 163                                 // completeness
 164                                 {"CAP_CHOWN",CAP_CHOWN},
 165                                 {"CAP_DAC_OVERRIDE",CAP_DAC_OVERRIDE},
 166                                 {"CAP_DAC_READ_SEARCH",CAP_DAC_READ_SEARCH},
 167                                 {"CAP_FOWNER",CAP_FOWNER},
 168                                 {"CAP_FSETID",CAP_FSETID},
 169                                 {"CAP_KILL",CAP_KILL},
 170                                 {"CAP_SETGID",CAP_SETGID},
 171                                 {"CAP_SETUID",CAP_SETUID},
 172                                 {"CAP_SETPCAP",CAP_SETPCAP},
 173                                 {"CAP_SYS_TTY_CONFIG",CAP_SYS_TTY_CONFIG},
 174                                 {"CAP_LEASE",CAP_LEASE},
 175                                 {"CAP_SYS_CHROOT",CAP_SYS_CHROOT},
 176
 177                                 // Those capabilities are not normally available
 178                                 // to vservers because they are not needed and
 179                                 // may represent a security risk
 180                                 {"--LINUX_IMMUTABLE",CAP_LINUX_IMMUTABLE},
 181                                 {"--NET_BIND_SERVICE",CAP_NET_BIND_SERVICE},
 182                                 {"--NET_BROADCAST",CAP_NET_BROADCAST},
 183                                 {"--NET_ADMIN", CAP_NET_ADMIN},
 184                                 {"--NET_RAW",   CAP_NET_RAW},
 185                                 {"--IPC_LOCK",  CAP_IPC_LOCK},
 186                                 {"--IPC_OWNER", CAP_IPC_OWNER},
 187                                 {"--SYS_MODULE",CAP_SYS_MODULE},
 188                                 {"--SYS_RAWIO", CAP_SYS_RAWIO},
 189                                 {"--SYS_PACCT", CAP_SYS_PACCT},
 190                                 {"--SYS_ADMIN", CAP_SYS_ADMIN},
 191                                 {"--SYS_BOOT",  CAP_SYS_BOOT},
 192                                 {"--SYS_NICE",  CAP_SYS_NICE},
 193                                 {"--SYS_RESOURCE",CAP_SYS_RESOURCE},
 194                                 {"--SYS_TIME",  CAP_SYS_TIME},
 195                                 {"--MKNOD",             CAP_MKNOD},
 196                                 {"--QUOTACTL",          CAP_QUOTACTL},
 197                                 {NULL,0}
 198                         };
 199                         int j;
 200                         for (j=0; tbcap[j].option != NULL; j++){
 201                                 if (strcasecmp(tbcap[j].option,arg)==0){
 202                                         remove |= (1<<tbcap[j].bit);
 203                                         break;
 204                                 }
 205                         }
 206                         if (tbcap[j].option != NULL){
 207                                 usage();
 208                         }
 209                 }else{
 210                         break;
 211                 }
 212         }
 213         if (i == argc){
 214                 if (show){
 215                         reducecap_show();
 216                 }else{
 217                         usage();
 218                 }
 219         }else if (argv[i][0] == '-'){
 220                 usage();
 221         }else{
 222                 struct __user_cap_header_struct header;
 223                 struct __user_cap_data_struct user;
 224                 header.version = _LINUX_CAPABILITY_VERSION;
 225                 header.pid = 0;
 226                 if (capget(&header,&user)==-1){
 227                         perror ("capget");
 228                 }else{
 229                         if (show){
 230                                 reducecap_print (&user);
 231                         }
 232                         if (vc_new_s_context(-2,remove,flags)==-1){
 233                                 perror ("new_s_context -2");
 234                         }else{
 235                                 fprintf (stderr,"Executing\n");
 236                                 execvp (argv[i],argv+i);
 237                                 fprintf (stderr,"Can't execute command %s\n",argv[i]);
 238                         }
 239                 }
 240         }
 241         return ret;
 242 }
 243