fix capabilities for sev/rt_ini

(cherry picked from commit d8d42faca720574c6bc915e7e857a8a8a66d7f58)

fix capabilities for sev/rt_ini
(cherry picked from commit d8d42faca720574c6bc915e7e857a8a8a66d7f58)
0e94c25c · Marcus Nordenberg · Esteban Blanc · e74a3b7f · 0e94c25c · 0e94c25c
Commit 0e94c25c authored Mar 05, 2020 by Marcus Nordenberg Committed by Esteban Blanc Dec 23, 2020
5 changed files
--- a/sev/exe/sev_ini/src/sev_ini.c
+++ b/sev/exe/sev_ini/src/sev_ini.c
@@ -34,11 +34,13 @@
 * General Public License plus this exception.
 */

-// TODO: Den hr filen r i princip identisk med rt_ini.
+// TODO: Den h�r filen �r i princip identisk med rt_ini.

 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/wait.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>

 #include "co_dcli.h"
 #include "co_string.h"
@@ -73,6 +75,10 @@ int main(int argc, char** argv)
  if (cp->flags.b.stop) {
    sts = stop(argc, argv, cp);
  } else {
+    // Set our ambient set so that our currently cap unaware processes may inherit and set the effective bit
+    prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0);
+    prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BROADCAST, 0, 0);
+    prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0);
    sts = start(cp);
    sts = events(cp);
    errh_LogInfo(&cp->log, "Ich sterbe!!");

--- a/src/exe/rt_ini/src/rt_ini.c
+++ b/src/exe/rt_ini/src/rt_ini.c
@@ -40,6 +40,8 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>

 #include "co_dcli.h"
 #include "co_string.h"
@@ -1718,4 +1720,8 @@ static void daemonize()
  stdout = fopen("/dev/null", "w+");
  stderr = fopen("/dev/null", "w+");

+  // Set our ambient set so that our currently cap unaware processes may inherit and set the effective bit
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BROADCAST, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0);
 }
--- a/src/tools/pkg/deb_x86_64/pwrrt/postinst
+++ b/src/tools/pkg/deb_x86_64/pwrrt/postinst
@@ -115,7 +115,7 @@ fi
 chown -R pwrp /usr/pwrrt
 chgrp -R pwrp /usr/pwrrt

-setcap cap_net_admin,cap_net_raw,cap_net_broadcast+eip /usr/pwrrt/exe/rt_ini
+setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_net_broadcast+eip /usr/pwrrt/exe/rt_ini

 #chmod u+s /usr/pwrrt/exe/rt_ini
 #chmod u+s /usr/pwrrt/exe/rt_rtt

--- a/src/tools/pkg/deb_x86_64/pwrrt/pwr.service
+++ b/src/tools/pkg/deb_x86_64/pwrrt/pwr.service
@@ -9,7 +9,6 @@ EnvironmentFile=-/pwrp/common/load/pwr_environment
 Type=forking
 Restart=no
 TimeoutSec=15
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BROADCAST
 # TODO Share private tmp with rt_xtt
 PrivateTmp=no
 KillMode=control-group

--- a/src/tools/pkg/deb_x86_64/pwrsev/postinst
+++ b/src/tools/pkg/deb_x86_64/pwrsev/postinst
@@ -115,7 +115,7 @@ fi
 chown -R pwrp /usr/pwrsev
 chgrp -R pwrp /usr/pwrsev

-setcap cap_net_admin,cap_net_raw,cap_net_broadcast+eip /usr/pwrsev/exe/sev_ini
+setcap cap_net_admin,cap_net_raw,cap_net_broadcast,cap_setpcap+eip /usr/pwrsev/exe/sev_ini

 # Source pwrp_profile in login shells
 if [ ! -e /etc/profile/pwrp_profile.sh ]; then