diff options
author | Matthias Schiffer <mschiffer@universe-factory.net> | 2016-02-22 21:29:04 +0100 |
---|---|---|
committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2016-02-22 21:29:04 +0100 |
commit | 55aa537fb54a9c01820d4638babccdc8f8a0ef04 (patch) | |
tree | d5081deaaed2d60a851999d772dcb86d1b04aac8 /src | |
parent | 69c830f36376058df238bda39d15d42a0507af53 (diff) | |
download | fastd-55aa537fb54a9c01820d4638babccdc8f8a0ef04.tar fastd-55aa537fb54a9c01820d4638babccdc8f8a0ef04.zip |
Add "drop privileges force" option which allows to drop CAP_NET_ADMIN even when fastd thinks it might still need it
Diffstat (limited to 'src')
-rw-r--r-- | src/capabilities.c | 2 | ||||
-rw-r--r-- | src/config.y | 4 | ||||
-rw-r--r-- | src/fastd.c | 2 | ||||
-rw-r--r-- | src/lex.c | 1 | ||||
-rw-r--r-- | src/types.h | 1 |
5 files changed, 8 insertions, 2 deletions
diff --git a/src/capabilities.c b/src/capabilities.c index 1feabba..f72b7f9 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -76,7 +76,7 @@ static void try_cap(cap_value_t cap) { /** Returns true if CAP_NET_ADMIN should be retained */ static bool need_cap_net_admin(void) { - return !fastd_config_persistent_ifaces(); + return !fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE; } /** Returns true if CAP_NET_RAW should be retained */ diff --git a/src/config.y b/src/config.y index a064d97..2e111ff 100644 --- a/src/config.y +++ b/src/config.y @@ -84,6 +84,7 @@ %token TOK_ESTABLISH %token TOK_FATAL %token TOK_FLOAT +%token TOK_FORCE %token TOK_FORWARD %token TOK_FROM %token TOK_GROUP @@ -244,6 +245,9 @@ drop_capabilities_enabled: TOK_EARLY { $$ = DROP_CAPS_EARLY; } + | TOK_FORCE { + $$ = DROP_CAPS_FORCE; + } | boolean { $$ = $1 ? DROP_CAPS_ON : DROP_CAPS_OFF; } diff --git a/src/fastd.c b/src/fastd.c index 37b00f9..1c4a00f 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -571,7 +571,7 @@ static inline void init(int argc, char *argv[]) { exit_errno("status: close"); } - if (conf.drop_caps == DROP_CAPS_EARLY) + if (conf.drop_caps == DROP_CAPS_EARLY || conf.drop_caps == DROP_CAPS_FORCE) drop_caps(); if (ctx.iface) @@ -80,6 +80,7 @@ static const keyword_t keywords[] = { { "establish", TOK_ESTABLISH }, { "fatal", TOK_FATAL }, { "float", TOK_FLOAT }, + { "force", TOK_FORCE }, { "forward", TOK_FORWARD }, { "from", TOK_FROM }, { "group", TOK_GROUP }, diff --git a/src/types.h b/src/types.h index 240a1bb..0792e1b 100644 --- a/src/types.h +++ b/src/types.h @@ -74,6 +74,7 @@ typedef enum fastd_drop_caps { DROP_CAPS_OFF, /**< The capabilities aren't dropped at all */ DROP_CAPS_ON, /**< The capabilities are dropped after executing the on-up command */ DROP_CAPS_EARLY, /**< The capabilities are dropped before executing the on-up command */ + DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is always dropped */ } fastd_drop_caps_t; /** Types of file descriptors to poll on */ |