diff options
| author | Matthias Schiffer <mschiffer@universe-factory.net> | 2012-12-25 17:22:29 +0100 |
|---|---|---|
| committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2012-12-25 17:22:29 +0100 |
| commit | ae28e7c8b1c93c574081af79c54c02a4e916d3d8 (patch) | |
| tree | 24d9ed28cb5225e9569ac0fe454f5db7c48853ff | |
| parent | 78440eab81959ec7a95effd579fd87b7c56dbe3d (diff) | |
| download | fastd-ae28e7c8b1c93c574081af79c54c02a4e916d3d8.tar fastd-ae28e7c8b1c93c574081af79c54c02a4e916d3d8.zip | |
Remove capability locking feature
This isn't our job, so there is no reason to support this.
| -rw-r--r-- | src/capabilities.c | 14 | ||||
| -rw-r--r-- | src/config.l | 1 | ||||
| -rw-r--r-- | src/config.y | 13 | ||||
| -rw-r--r-- | src/fastd.c | 4 | ||||
| -rw-r--r-- | src/fastd.h | 2 |
5 files changed, 1 insertions, 33 deletions
diff --git a/src/capabilities.c b/src/capabilities.c index 415cce6..5ad2e45 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -72,17 +72,6 @@ void fastd_cap_init(fastd_context_t *ctx) { try_cap(ctx, CAP_NET_RAW); } -void fastd_cap_lock(fastd_context_t *ctx) { - if (prctl(PR_SET_SECUREBITS, - SECBIT_KEEP_CAPS_LOCKED | - SECBIT_NO_SETUID_FIXUP | - SECBIT_NO_SETUID_FIXUP_LOCKED | - SECBIT_NOROOT | - SECBIT_NOROOT_LOCKED) < 0) { - pr_debug_errno(ctx, "prctl"); - } -} - void fastd_cap_drop(fastd_context_t *ctx) { cap_t caps = cap_init(); @@ -103,9 +92,6 @@ void fastd_cap_drop(fastd_context_t *ctx) { void fastd_cap_init(fastd_context_t *ctx) { } -void fastd_cap_lock(fastd_context_t *ctx) { -} - void fastd_cap_drop(fastd_context_t *ctx) { } diff --git a/src/config.l b/src/config.l index 1881575..04cc6b0 100644 --- a/src/config.l +++ b/src/config.l @@ -105,7 +105,6 @@ group { TOKEN(TOK_GROUP); } drop { TOKEN(TOK_DROP); } capabilities { TOKEN(TOK_CAPABILITIES); } early { TOKEN(TOK_EARLY); } -lock { TOKEN(TOK_LOCK); } limit { TOKEN(TOK_LIMIT); } [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} { diff --git a/src/config.y b/src/config.y index 5794124..27fec71 100644 --- a/src/config.y +++ b/src/config.y @@ -105,7 +105,6 @@ %token TOK_DROP %token TOK_CAPABILITIES %token TOK_EARLY -%token TOK_LOCK %token TOK_LIMIT %token <addr4> TOK_ADDR4 @@ -135,7 +134,6 @@ %type <num> maybe_bind_default %type <num> bind_default %type <num> drop_capabilities_enabled -%type <boolean> drop_capabilities_lock %% start: START_CONFIG config @@ -190,9 +188,8 @@ group: TOK_STRING { } drop_capabilities: - drop_capabilities_enabled drop_capabilities_lock { + drop_capabilities_enabled { conf->drop_caps = $1; - conf->lock_caps = $2; } drop_capabilities_enabled: @@ -203,14 +200,6 @@ drop_capabilities_enabled: $$ = $1 ? DROP_CAPS_ON : DROP_CAPS_OFF; } -drop_capabilities_lock: - TOK_LOCK { - $$ = true; - } - | { - $$ = false; - } - log: TOK_LEVEL log_level { conf->log_stderr_level = $2; } diff --git a/src/fastd.c b/src/fastd.c index b7a7a83..22d64b9 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -1050,11 +1050,7 @@ static void set_user(fastd_context_t *ctx) { } static void drop_caps(fastd_context_t *ctx) { - if (ctx->conf->lock_caps) - fastd_cap_lock(ctx); - set_user(ctx); - fastd_cap_drop(ctx); } diff --git a/src/fastd.h b/src/fastd.h index dc24579..df84c97 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -196,7 +196,6 @@ struct fastd_config { bool forward; fastd_drop_caps_t drop_caps; - bool lock_caps; char *user; char *group; @@ -325,7 +324,6 @@ void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char void fastd_reconfigure(fastd_context_t *ctx, fastd_config_t *conf); void fastd_cap_init(fastd_context_t *ctx); -void fastd_cap_lock(fastd_context_t *ctx); void fastd_cap_drop(fastd_context_t *ctx); void fastd_random_bytes(fastd_context_t *ctx, void *buffer, size_t len, bool secure); |