diff options
-rw-r--r-- | src/capabilities.c | 14 | ||||
-rw-r--r-- | src/config.l | 1 | ||||
-rw-r--r-- | src/config.y | 13 | ||||
-rw-r--r-- | src/fastd.c | 4 | ||||
-rw-r--r-- | src/fastd.h | 2 |
5 files changed, 1 insertions, 33 deletions
diff --git a/src/capabilities.c b/src/capabilities.c index 415cce6..5ad2e45 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -72,17 +72,6 @@ void fastd_cap_init(fastd_context_t *ctx) { try_cap(ctx, CAP_NET_RAW); } -void fastd_cap_lock(fastd_context_t *ctx) { - if (prctl(PR_SET_SECUREBITS, - SECBIT_KEEP_CAPS_LOCKED | - SECBIT_NO_SETUID_FIXUP | - SECBIT_NO_SETUID_FIXUP_LOCKED | - SECBIT_NOROOT | - SECBIT_NOROOT_LOCKED) < 0) { - pr_debug_errno(ctx, "prctl"); - } -} - void fastd_cap_drop(fastd_context_t *ctx) { cap_t caps = cap_init(); @@ -103,9 +92,6 @@ void fastd_cap_drop(fastd_context_t *ctx) { void fastd_cap_init(fastd_context_t *ctx) { } -void fastd_cap_lock(fastd_context_t *ctx) { -} - void fastd_cap_drop(fastd_context_t *ctx) { } diff --git a/src/config.l b/src/config.l index 1881575..04cc6b0 100644 --- a/src/config.l +++ b/src/config.l @@ -105,7 +105,6 @@ group { TOKEN(TOK_GROUP); } drop { TOKEN(TOK_DROP); } capabilities { TOKEN(TOK_CAPABILITIES); } early { TOKEN(TOK_EARLY); } -lock { TOKEN(TOK_LOCK); } limit { TOKEN(TOK_LIMIT); } [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} { diff --git a/src/config.y b/src/config.y index 5794124..27fec71 100644 --- a/src/config.y +++ b/src/config.y @@ -105,7 +105,6 @@ %token TOK_DROP %token TOK_CAPABILITIES %token TOK_EARLY -%token TOK_LOCK %token TOK_LIMIT %token <addr4> TOK_ADDR4 @@ -135,7 +134,6 @@ %type <num> maybe_bind_default %type <num> bind_default %type <num> drop_capabilities_enabled -%type <boolean> drop_capabilities_lock %% start: START_CONFIG config @@ -190,9 +188,8 @@ group: TOK_STRING { } drop_capabilities: - drop_capabilities_enabled drop_capabilities_lock { + drop_capabilities_enabled { conf->drop_caps = $1; - conf->lock_caps = $2; } drop_capabilities_enabled: @@ -203,14 +200,6 @@ drop_capabilities_enabled: $$ = $1 ? DROP_CAPS_ON : DROP_CAPS_OFF; } -drop_capabilities_lock: - TOK_LOCK { - $$ = true; - } - | { - $$ = false; - } - log: TOK_LEVEL log_level { conf->log_stderr_level = $2; } diff --git a/src/fastd.c b/src/fastd.c index b7a7a83..22d64b9 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -1050,11 +1050,7 @@ static void set_user(fastd_context_t *ctx) { } static void drop_caps(fastd_context_t *ctx) { - if (ctx->conf->lock_caps) - fastd_cap_lock(ctx); - set_user(ctx); - fastd_cap_drop(ctx); } diff --git a/src/fastd.h b/src/fastd.h index dc24579..df84c97 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -196,7 +196,6 @@ struct fastd_config { bool forward; fastd_drop_caps_t drop_caps; - bool lock_caps; char *user; char *group; @@ -325,7 +324,6 @@ void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char void fastd_reconfigure(fastd_context_t *ctx, fastd_config_t *conf); void fastd_cap_init(fastd_context_t *ctx); -void fastd_cap_lock(fastd_context_t *ctx); void fastd_cap_drop(fastd_context_t *ctx); void fastd_random_bytes(fastd_context_t *ctx, void *buffer, size_t len, bool secure); |