From ae28e7c8b1c93c574081af79c54c02a4e916d3d8 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Tue, 25 Dec 2012 17:22:29 +0100 Subject: Remove capability locking feature This isn't our job, so there is no reason to support this. --- src/capabilities.c | 14 -------------- src/config.l | 1 - src/config.y | 13 +------------ src/fastd.c | 4 ---- src/fastd.h | 2 -- 5 files changed, 1 insertion(+), 33 deletions(-) diff --git a/src/capabilities.c b/src/capabilities.c index 415cce6..5ad2e45 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -72,17 +72,6 @@ void fastd_cap_init(fastd_context_t *ctx) { try_cap(ctx, CAP_NET_RAW); } -void fastd_cap_lock(fastd_context_t *ctx) { - if (prctl(PR_SET_SECUREBITS, - SECBIT_KEEP_CAPS_LOCKED | - SECBIT_NO_SETUID_FIXUP | - SECBIT_NO_SETUID_FIXUP_LOCKED | - SECBIT_NOROOT | - SECBIT_NOROOT_LOCKED) < 0) { - pr_debug_errno(ctx, "prctl"); - } -} - void fastd_cap_drop(fastd_context_t *ctx) { cap_t caps = cap_init(); @@ -103,9 +92,6 @@ void fastd_cap_drop(fastd_context_t *ctx) { void fastd_cap_init(fastd_context_t *ctx) { } -void fastd_cap_lock(fastd_context_t *ctx) { -} - void fastd_cap_drop(fastd_context_t *ctx) { } diff --git a/src/config.l b/src/config.l index 1881575..04cc6b0 100644 --- a/src/config.l +++ b/src/config.l @@ -105,7 +105,6 @@ group { TOKEN(TOK_GROUP); } drop { TOKEN(TOK_DROP); } capabilities { TOKEN(TOK_CAPABILITIES); } early { TOKEN(TOK_EARLY); } -lock { TOKEN(TOK_LOCK); } limit { TOKEN(TOK_LIMIT); } [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} { diff --git a/src/config.y b/src/config.y index 5794124..27fec71 100644 --- a/src/config.y +++ b/src/config.y @@ -105,7 +105,6 @@ %token TOK_DROP %token TOK_CAPABILITIES %token TOK_EARLY -%token TOK_LOCK %token TOK_LIMIT %token TOK_ADDR4 @@ -135,7 +134,6 @@ %type maybe_bind_default %type bind_default %type drop_capabilities_enabled -%type drop_capabilities_lock %% start: START_CONFIG config @@ -190,9 +188,8 @@ group: TOK_STRING { } drop_capabilities: - drop_capabilities_enabled drop_capabilities_lock { + drop_capabilities_enabled { conf->drop_caps = $1; - conf->lock_caps = $2; } drop_capabilities_enabled: @@ -203,14 +200,6 @@ drop_capabilities_enabled: $$ = $1 ? DROP_CAPS_ON : DROP_CAPS_OFF; } -drop_capabilities_lock: - TOK_LOCK { - $$ = true; - } - | { - $$ = false; - } - log: TOK_LEVEL log_level { conf->log_stderr_level = $2; } diff --git a/src/fastd.c b/src/fastd.c index b7a7a83..22d64b9 100644 --- a/src/fastd.c +++ b/src/fastd.c @@ -1050,11 +1050,7 @@ static void set_user(fastd_context_t *ctx) { } static void drop_caps(fastd_context_t *ctx) { - if (ctx->conf->lock_caps) - fastd_cap_lock(ctx); - set_user(ctx); - fastd_cap_drop(ctx); } diff --git a/src/fastd.h b/src/fastd.h index dc24579..df84c97 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -196,7 +196,6 @@ struct fastd_config { bool forward; fastd_drop_caps_t drop_caps; - bool lock_caps; char *user; char *group; @@ -325,7 +324,6 @@ void fastd_configure(fastd_context_t *ctx, fastd_config_t *conf, int argc, char void fastd_reconfigure(fastd_context_t *ctx, fastd_config_t *conf); void fastd_cap_init(fastd_context_t *ctx); -void fastd_cap_lock(fastd_context_t *ctx); void fastd_cap_drop(fastd_context_t *ctx); void fastd_random_bytes(fastd_context_t *ctx, void *buffer, size_t len, bool secure); -- cgit v1.2.3