kinit/use-capabilities.patch

63 lines
2.1 KiB
Diff

diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index c53e1de..f29ec47 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -13,3 +13,4 @@ check_include_files(sys/exec.h HAVE_SYS_EXEC_H)
check_function_exists(pstat HAVE_PSTAT)
check_function_exists(setproctitle HAVE_SETPROCTITLE)
check_library_exists(socket connect "" HAVE_SOCKET_LIBRARY)
+check_library_exists(cap cap_init "" HAVE_CAPABILITIES)
diff --git a/src/start_kdeinit/CMakeLists.txt b/src/start_kdeinit/CMakeLists.txt
index 6bfc496..0c513de 100644
--- a/src/start_kdeinit/CMakeLists.txt
+++ b/src/start_kdeinit/CMakeLists.txt
@@ -9,6 +9,6 @@ if (CMAKE_SYSTEM_NAME MATCHES Linux)
set(KDEINIT_OOM_PROTECT 1)
install(CODE "
set(START_KDEINIT_PATH \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${LIBEXEC_INSTALL_DIR}/start_kdeinit\")
- EXECUTE_PROCESS(COMMAND sh -c \"chown 0 '\${START_KDEINIT_PATH}' && chmod u+s '\${START_KDEINIT_PATH}'\")
+ EXECUTE_PROCESS(COMMAND sh -c \"setcap 'CAP_SYS_RESOURCE=+ep' '\${START_KDEINIT_PATH}'\")
")
endif ()
diff --git a/src/start_kdeinit/start_kdeinit.c b/src/start_kdeinit/start_kdeinit.c
index 3c733e7..26d2843 100644
--- a/src/start_kdeinit/start_kdeinit.c
+++ b/src/start_kdeinit/start_kdeinit.c
@@ -27,6 +27,10 @@
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
#define EXECUTE CMAKE_INSTALL_PREFIX"/"BIN_INSTALL_DIR "/kdeinit5"
@@ -98,6 +102,10 @@ int main(int argc, char **argv)
unsigned i;
char **orig_environ = NULL;
char header[ 7 ];
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
+
if (pipe(pipes) < 0) {
perror("pipe()");
return 1;
@@ -111,6 +119,14 @@ int main(int argc, char **argv)
perror("fork()");
return 1;
default: /* parent, drop privileges and exec */
+#ifdef HAVE_CAPABILITIES
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("cap_set_proc()");
+ return 1;
+ }
+ cap_free(caps);
+#endif
if (setgid(getgid())) {
perror("setgid()");
return 1;