VirtualBox

Changeset 15871 in vbox


Ignore:
Timestamp:
Jan 8, 2009 3:27:46 PM (16 years ago)
Author:
vboxsync
Message:

Linux hardened: use direct capset() calls to prevent a dependency to either libcap1 or libcap2

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

    r15314 r15871  
    5858# include <sys/types.h>
    5959# if defined(RT_OS_LINUX)
     60#  undef USE_LIB_PCAP /* don't depend on libcap as we had to depend on either
     61                         libcap1 or libcap2 */
     62
     63#  undef _POSIX_SOURCE
     64#  include <linux/capability.h>
    6065#  include <sys/capability.h>
    6166#  include <sys/prctl.h>
     
    600605     * keep the cap_net_raw capability for ICMP sockets for the NAT stack.
    601606     */
     607#  ifdef USE_LIB_PCAP
    602608    if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep")))
    603609        prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0);
     610#  else
     611    cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
     612    cap_user_data_t   cap = (cap_user_data_t)alloca(sizeof(*cap));
     613    memset(hdr, 0, sizeof(*hdr));
     614    hdr->version = _LINUX_CAPABILITY_VERSION;
     615    memset(cap, 0, sizeof(*cap));
     616    cap->effective = CAP_TO_MASK(CAP_NET_RAW);
     617    cap->permitted = CAP_TO_MASK(CAP_NET_RAW);
     618    if (!capset(hdr, cap))
     619        prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0);
     620#  endif
    604621
    605622# elif defined(RT_OS_SOLARIS)
     
    704721     * Re-enable the cap_net_raw capability which was disabled during setresuid.
    705722     */
     723#  ifdef USE_LIB_PCAP
    706724    /** @todo Warn if that does not work? */
    707725    cap_set_proc(cap_from_text("cap_net_raw+ep"));
     726#  else
     727    cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr));
     728    cap_user_data_t   cap = (cap_user_data_t)alloca(sizeof(*cap));
     729    memset(hdr, 0, sizeof(*hdr));
     730    hdr->version = _LINUX_CAPABILITY_VERSION;
     731    memset(cap, 0, sizeof(*cap));
     732    cap->effective = CAP_TO_MASK(CAP_NET_RAW);
     733    cap->permitted = CAP_TO_MASK(CAP_NET_RAW);
     734    /** @todo Warn if that does not work? */
     735    capset(hdr, cap);
     736#  endif
    708737# endif
    709738}
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette