forked from pool/permissions
Ludwig Nussel
9686d2cccc
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=72
141 lines
3.5 KiB
Diff
141 lines
3.5 KiB
Diff
From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001
|
|
From: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
Date: Mon, 7 Nov 2011 10:34:38 +0100
|
|
Subject: [PATCH] disable run time fscaps detection (bnc#728312)
|
|
|
|
PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable
|
|
them again.
|
|
---
|
|
chkstat.8 | 5 +++--
|
|
chkstat.c | 40 ++++++++++++++++++++++++++++------------
|
|
2 files changed, 31 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/chkstat.8 b/chkstat.8
|
|
index 3492e21..364a237 100644
|
|
--- a/chkstat.8
|
|
+++ b/chkstat.8
|
|
@@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes
|
|
Omit printing the output header lines.
|
|
.TP
|
|
.IR \-\-fscaps,\ \-\-no\-fscaps
|
|
-Force or disable use of fscaps. Default is to automatically
|
|
-determine whether the running kernel supports fscaps.
|
|
+Enable or disable use of fscaps. In system mode the setting of
|
|
+PERMISSIONS_FSCAPS determines whether fscaps are on or off when this
|
|
+option is not set.
|
|
.TP
|
|
.IR \-\-examine\ file
|
|
Check permissions for this file instead of all files listed in the permissions files.
|
|
diff --git a/chkstat.c b/chkstat.c
|
|
index e5c9b15..8682c3e 100644
|
|
--- a/chkstat.c
|
|
+++ b/chkstat.c
|
|
@@ -54,6 +54,7 @@ int nlevel;
|
|
char** level;
|
|
int do_set = -1;
|
|
int default_set = 1;
|
|
+int have_fscaps = -1;
|
|
char** permfiles = NULL;
|
|
int npermfiles = 0;
|
|
char* force_level;
|
|
@@ -281,6 +282,24 @@ parse_sysconf(const char* file)
|
|
//fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n");
|
|
}
|
|
}
|
|
+ else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19))
|
|
+ {
|
|
+ p+=19;
|
|
+ if (isquote(*p))
|
|
+ ++p;
|
|
+ if (!strncmp(p, "yes", 3))
|
|
+ {
|
|
+ p+=3;
|
|
+ if (isquote(*p) || !*p)
|
|
+ have_fscaps=1;
|
|
+ }
|
|
+ else if (!strncmp(p, "no", 2))
|
|
+ {
|
|
+ p+=2;
|
|
+ if (isquote(*p) || !*p)
|
|
+ have_fscaps=0;
|
|
+ }
|
|
+ }
|
|
}
|
|
fclose(fp);
|
|
return 0;
|
|
@@ -515,18 +534,18 @@ check_fscaps_enabled()
|
|
{
|
|
FILE* fp;
|
|
char line[128];
|
|
- int have_fscaps = FSCAPS_DEFAULT_ENABLED;
|
|
+ int val = FSCAPS_DEFAULT_ENABLED;
|
|
if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0)
|
|
{
|
|
goto out;
|
|
}
|
|
if (readline(fp, line, sizeof(line)))
|
|
{
|
|
- have_fscaps = atoi(line);
|
|
+ val = atoi(line);
|
|
}
|
|
fclose(fp);
|
|
out:
|
|
- return have_fscaps;
|
|
+ return val;
|
|
}
|
|
|
|
int
|
|
@@ -552,7 +571,6 @@ main(int argc, char **argv)
|
|
int fd, r;
|
|
int errors = 0;
|
|
cap_t caps = NULL;
|
|
- int have_fscaps = -1;
|
|
|
|
while (argc > 1)
|
|
{
|
|
@@ -692,9 +710,6 @@ main(int argc, char **argv)
|
|
break;
|
|
}
|
|
|
|
- if (have_fscaps == -1)
|
|
- have_fscaps = check_fscaps_enabled();
|
|
-
|
|
if (systemmode)
|
|
{
|
|
const char file[] = "/etc/sysconfig/security";
|
|
@@ -747,6 +762,11 @@ main(int argc, char **argv)
|
|
permfiles = &argv[1];
|
|
}
|
|
|
|
+ if (have_fscaps == 1 && !check_fscaps_enabled())
|
|
+ {
|
|
+ fprintf(stderr, "Warning: running kernel does not support fscaps\n");
|
|
+ }
|
|
+
|
|
if (do_set == -1)
|
|
do_set = 0;
|
|
|
|
@@ -802,7 +822,7 @@ main(int argc, char **argv)
|
|
}
|
|
if (!strncmp(p, "+capabilities ", 14))
|
|
{
|
|
- if (!have_fscaps)
|
|
+ if (have_fscaps != 1)
|
|
continue;
|
|
p += 14;
|
|
caps = cap_from_text(p);
|
|
@@ -900,10 +920,6 @@ main(int argc, char **argv)
|
|
printf("Checking permissions and ownerships - using the permissions files\n");
|
|
for (i = 0; i < npermfiles; i++)
|
|
printf("\t%s\n", permfiles[i]);
|
|
- if (!have_fscaps)
|
|
- {
|
|
- printf("kernel has fscaps support disabled.\n");
|
|
- }
|
|
if (rootl)
|
|
{
|
|
printf("Using root %s\n", root);
|
|
--
|
|
1.7.3.4
|
|
|