capabilities: added support for ambient capabilities.

This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000
author: Ismo Puustinen <ismo.puustinen@intel.com> 2015-12-31 14:54:44 +0200
committer: Ismo Puustinen <ismo.puustinen@intel.com> 2016-01-12 12:14:50 +0200
commit: 755d4b67a471ed1a3472b8536cb51315d4e4e3c1 (patch)
tree: 8a0d604514b069463816768a326fb4a6f4f947d7 /src/basic/capability-util.c
parent: capabilities: keep bounding set in non-inverted format. (diff)
download: systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.tar.gz
systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.tar.bz2
systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.zip
1 files changed, 55 insertions, 0 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 881f0f671..49c2d61af 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -96,6 +96,61 @@ unsigned long cap_last_cap(void) {
         return p;
 }
 
+int capability_update_inherited_set(cap_t caps, uint64_t set) {
+        unsigned long i;
+
+        /* Add capabilities in the set to the inherited caps. Do not apply
+         * them yet. */
+
+        for (i = 0; i < cap_last_cap(); i++) {
+
+                if (set & (UINT64_C(1) << i)) {
+                        cap_value_t v;
+
+                        v = (cap_value_t) i;
+
+                        /* Make the capability inheritable. */
+                        if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
+                                return -errno;
+                }
+        }
+
+        return 0;
+}
+
+int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
+        unsigned long i;
+        _cleanup_cap_free_ cap_t caps = NULL;
+
+        /* Add the capabilities to the ambient set. */
+
+        if (also_inherit) {
+                int r;
+                caps = cap_get_proc();
+                if (!caps)
+                        return -errno;
+
+                r = capability_update_inherited_set(caps, set);
+                if (r < 0)
+                        return -errno;
+
+                if (cap_set_proc(caps) < 0)
+                        return -errno;
+        }
+
+        for (i = 0; i < cap_last_cap(); i++) {
+
+                if (set & (UINT64_C(1) << i)) {
+
+                        /* Add the capability to the ambient set. */
+                        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
+                                return -errno;
+                }
+        }
+
+        return 0;
+}
+
 int capability_bounding_set_drop(uint64_t keep, bool right_now) {
         _cleanup_cap_free_ cap_t after_cap = NULL;
         cap_flag_value_t fv;
author	Ismo Puustinen <ismo.puustinen@intel.com>	2015-12-31 14:54:44 +0200
committer	Ismo Puustinen <ismo.puustinen@intel.com>	2016-01-12 12:14:50 +0200
commit	755d4b67a471ed1a3472b8536cb51315d4e4e3c1 (patch)
tree	8a0d604514b069463816768a326fb4a6f4f947d7 /src/basic/capability-util.c
parent	capabilities: keep bounding set in non-inverted format. (diff)
download	systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.tar.gz systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.tar.bz2 systemd-755d4b67a471ed1a3472b8536cb51315d4e4e3c1.zip