diff options
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | configure.ac | 5 | ||||
| -rw-r--r-- | mount.cifs.c | 43 |
3 files changed, 48 insertions, 2 deletions
diff --git a/Makefile.am b/Makefile.am index 9cf25f6..01f1762 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I aclocal root_sbindir = "/sbin" root_sbin_PROGRAMS = mount.cifs mount_cifs_SOURCES = mount.cifs.c mtab.c util.c -mount_cifs_LDADD = @LIBCAP@ +mount_cifs_LDADD = @LIBCAP@ @CAPNG_LDADD@ man_MANS = mount.cifs.8 diff --git a/configure.ac b/configure.ac index a64113a..857b0d8 100644 --- a/configure.ac +++ b/configure.ac @@ -118,6 +118,9 @@ LIBS=$cu_saved_libs AM_CONDITIONAL(CONFIG_CIFSUPCALL, [test "$enable_cifsupcall" != "no"]) -AC_LIBCAP +LIBCAP_NG_PATH +if test "x$CAPNG_LDADD" = "x"; then + AC_LIBCAP +fi AC_OUTPUT diff --git a/mount.cifs.c b/mount.cifs.c index eb72c46..1ff1846 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -44,9 +44,13 @@ #include <fstab.h> #include <sys/mman.h> #include <sys/wait.h> +#ifdef HAVE_LIBCAP_NG +#include <cap-ng.h> +#else /* HAVE_LIBCAP_NG */ #ifdef HAVE_LIBCAP #include <sys/capability.h> #endif /* HAVE_LIBCAP */ +#endif /* HAVE_LIBCAP_NG */ #include "mount.h" #include "util.h" @@ -322,6 +326,44 @@ static int parse_username(char *rawuser, struct parsed_mount_info *parsed_info) return 0; } +#ifdef HAVE_LIBCAP_NG +static int +drop_capabilities(int parent) +{ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) { + fprintf(stderr, "Unable to update capability set.\n"); + return EX_SYSERR; + } + + if (parent) { + if (capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_ADMIN)) { + fprintf(stderr, "Unable to update capability set.\n"); + return EX_SYSERR; + } + } + if (capng_apply(CAPNG_SELECT_BOTH)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } + return 0; +} + +static int +toggle_cap_dac_override(int enable) +{ + if (capng_update(enable ? CAPNG_ADD : CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE)) { + fprintf(stderr, "Unable to update capability set.\n"); + return EX_SYSERR; + } + if (capng_apply(CAPNG_SELECT_CAPS)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } + return 0; +} +#else /* HAVE_LIBCAP_NG */ #ifdef HAVE_LIBCAP static int drop_capabilities(int parent) @@ -426,6 +468,7 @@ toggle_cap_dac_override(int enable) return 0; } #endif /* HAVE_LIBCAP */ +#endif /* HAVE_LIBCAP_NG */ static int open_cred_file(char *file_name, struct parsed_mount_info *parsed_info) |