Merge pull request #2730 from ivyl/remove_cap_leftovers

Remove libcap/prctl artifacts
This commit is contained in:
Drew DeVault 2018-09-30 13:41:36 +02:00 committed by GitHub
commit 7355959d7f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 23 additions and 142 deletions

View file

@ -449,8 +449,6 @@ void free_sway_variable(struct sway_variable *var);
*/ */
char *do_var_replacement(char *str); char *do_var_replacement(char *str);
struct cmd_results *check_security_config();
int input_identifier_cmp(const void *item, const void *data); int input_identifier_cmp(const void *item, const void *data);
struct input_config *new_input_config(const char* identifier); struct input_config *new_input_config(const char* identifier);
@ -471,7 +469,7 @@ struct seat_config *copy_seat_config(struct seat_config *seat);
void free_seat_config(struct seat_config *ic); void free_seat_config(struct seat_config *ic);
struct seat_attachment_config *seat_attachment_config_new(); struct seat_attachment_config *seat_attachment_config_new(void);
struct seat_attachment_config *seat_config_get_attachment( struct seat_attachment_config *seat_config_get_attachment(
struct seat_config *seat_config, char *identifier); struct seat_config *seat_config, char *identifier);

View file

@ -17,6 +17,6 @@ struct sway_debug {
extern struct sway_debug debug; extern struct sway_debug debug;
void update_debug_tree(); void update_debug_tree(void);
#endif #endif

View file

@ -4,7 +4,7 @@
#include "sway/tree/container.h" #include "sway/tree/container.h"
#include "sway/input/input-manager.h" #include "sway/input/input-manager.h"
json_object *ipc_json_get_version(); json_object *ipc_json_get_version(void);
json_object *ipc_json_describe_disabled_output(struct sway_output *o); json_object *ipc_json_describe_disabled_output(struct sway_output *o);
json_object *ipc_json_describe_node(struct sway_node *node); json_object *ipc_json_describe_node(struct sway_node *node);

View file

@ -50,7 +50,7 @@ struct swaybar_config {
} colors; } colors;
}; };
struct swaybar_config *init_config(); struct swaybar_config *init_config(void);
void free_config(struct swaybar_config *config); void free_config(struct swaybar_config *config);
uint32_t parse_position(const char *position); uint32_t parse_position(const char *position);

View file

@ -1,18 +0,0 @@
#ifndef _SWAYBAR_DBUS_H
#define _SWAYBAR_DBUS_H
#include <stdbool.h>
#include <dbus/dbus.h>
extern DBusConnection *conn;
/**
* Should be called in main loop to dispatch events
*/
void dispatch_dbus();
/**
* Initializes async dbus communication
*/
int dbus_init();
#endif /* _SWAYBAR_DBUS_H */

View file

@ -1,10 +0,0 @@
#ifndef _SWAYBAR_SNI_WATCHER_H
#define _SWAYBAR_SNI_WATCHER_H
/**
* Starts the sni_watcher, the watcher is practically a black box and should
* only be accessed though functions described in its spec
*/
int init_sni_watcher();
#endif /* _SWAYBAR_SNI_WATCHER_H */

View file

@ -1,32 +0,0 @@
#ifndef _SWAYBAR_TRAY_H
#define _SWAYBAR_TRAY_H
#include <stdint.h>
#include <stdbool.h>
#include "swaybar/tray/dbus.h"
#include "swaybar/tray/sni.h"
#include "swaybar/bar.h"
#include "list.h"
extern struct tray *tray;
struct tray {
list_t *items;
};
/**
* Processes a mouse event on the bar
*/
void tray_mouse_event(struct output *output, int x, int y,
uint32_t button, uint32_t state);
uint32_t tray_render(struct output *output, struct config *config);
void tray_upkeep(struct bar *bar);
/**
* Initializes the tray with D-Bus
*/
void init_tray(struct bar *bar);
#endif /* _SWAYBAR_TRAY_H */

View file

@ -42,7 +42,6 @@ pango = dependency('pango')
pangocairo = dependency('pangocairo') pangocairo = dependency('pangocairo')
gdk_pixbuf = dependency('gdk-pixbuf-2.0', required: false) gdk_pixbuf = dependency('gdk-pixbuf-2.0', required: false)
pixman = dependency('pixman-1') pixman = dependency('pixman-1')
libcap = dependency('libcap', required: false)
libinput = dependency('libinput', version: '>=1.6.0') libinput = dependency('libinput', version: '>=1.6.0')
libpam = cc.find_library('pam', required: false) libpam = cc.find_library('pam', required: false)
systemd = dependency('libsystemd', required: false) systemd = dependency('libsystemd', required: false)

View file

@ -30,7 +30,7 @@ struct seat_config *new_seat_config(const char* name) {
return seat; return seat;
} }
struct seat_attachment_config *seat_attachment_config_new() { struct seat_attachment_config *seat_attachment_config_new(void) {
struct seat_attachment_config *attachment = struct seat_attachment_config *attachment =
calloc(1, sizeof(struct seat_attachment_config)); calloc(1, sizeof(struct seat_attachment_config));
if (!attachment) { if (!attachment) {

View file

@ -120,7 +120,7 @@ static int draw_node(cairo_t *cairo, struct sway_node *node,
return height; return height;
} }
void update_debug_tree() { void update_debug_tree(void) {
if (!debug.render_tree) { if (!debug.render_tree) {
return; return;
} }

View file

@ -30,7 +30,7 @@
// when dragging to the edge of a layout container. // when dragging to the edge of a layout container.
#define DROP_LAYOUT_BORDER 30 #define DROP_LAYOUT_BORDER 30
static uint32_t get_current_time_msec() { static uint32_t get_current_time_msec(void) {
struct timespec now; struct timespec now;
clock_gettime(CLOCK_MONOTONIC, &now); clock_gettime(CLOCK_MONOTONIC, &now);
return now.tv_nsec / 1000; return now.tv_nsec / 1000;

View file

@ -42,7 +42,7 @@ static const char *ipc_json_orientation_description(enum sway_container_layout l
return "none"; return "none";
} }
json_object *ipc_json_get_version() { json_object *ipc_json_get_version(void) {
int major = 0, minor = 0, patch = 0; int major = 0, minor = 0, patch = 0;
json_object *version = json_object_new_object(); json_object *version = json_object_new_object();

View file

@ -12,10 +12,6 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/un.h> #include <sys/un.h>
#include <unistd.h> #include <unistd.h>
#ifdef __linux__
#include <sys/capability.h>
#include <sys/prctl.h>
#endif
#include <wlr/util/log.h> #include <wlr/util/log.h>
#include "sway/commands.h" #include "sway/commands.h"
#include "sway/config.h" #include "sway/config.h"
@ -45,7 +41,7 @@ void sig_handler(int signal) {
sway_terminate(EXIT_SUCCESS); sway_terminate(EXIT_SUCCESS);
} }
void detect_raspi() { void detect_raspi(void) {
bool raspi = false; bool raspi = false;
FILE *f = fopen("/sys/firmware/devicetree/base/model", "r"); FILE *f = fopen("/sys/firmware/devicetree/base/model", "r");
if (!f) { if (!f) {
@ -85,7 +81,7 @@ void detect_raspi() {
} }
} }
void detect_proprietary() { void detect_proprietary(void) {
FILE *f = fopen("/proc/modules", "r"); FILE *f = fopen("/proc/modules", "r");
if (!f) { if (!f) {
return; return;
@ -120,7 +116,7 @@ void run_as_ipc_client(char *command, char *socket_path) {
close(socketfd); close(socketfd);
} }
static void log_env() { static void log_env(void) {
const char *log_vars[] = { const char *log_vars[] = {
"PATH", "PATH",
"LD_LIBRARY_PATH", "LD_LIBRARY_PATH",
@ -135,7 +131,7 @@ static void log_env() {
} }
} }
static void log_distro() { static void log_distro(void) {
const char *paths[] = { const char *paths[] = {
"/etc/lsb-release", "/etc/lsb-release",
"/etc/os-release", "/etc/os-release",
@ -162,7 +158,7 @@ static void log_distro() {
} }
} }
static void log_kernel() { static void log_kernel(void) {
FILE *f = popen("uname -a", "r"); FILE *f = popen("uname -a", "r");
if (!f) { if (!f) {
wlr_log(WLR_INFO, "Unable to determine kernel version"); wlr_log(WLR_INFO, "Unable to determine kernel version");
@ -181,28 +177,8 @@ static void log_kernel() {
pclose(f); pclose(f);
} }
static void executable_sanity_check() {
#ifdef __linux__
struct stat sb;
char *exe = realpath("/proc/self/exe", NULL);
stat(exe, &sb);
// We assume that cap_get_file returning NULL implies ENODATA
if (sb.st_mode & (S_ISUID|S_ISGID) && cap_get_file(exe)) {
wlr_log(WLR_ERROR,
"sway executable has both the s(g)uid bit AND file caps set.");
wlr_log(WLR_ERROR,
"This is strongly discouraged (and completely broken).");
wlr_log(WLR_ERROR,
"Please clear one of them (either the suid bit, or the file caps).");
wlr_log(WLR_ERROR,
"If unsure, strip the file caps.");
exit(EXIT_FAILURE);
}
free(exe);
#endif
}
static void drop_permissions(bool keep_caps) { static void drop_permissions(void) {
if (getuid() != geteuid() || getgid() != getegid()) { if (getuid() != geteuid() || getgid() != getegid()) {
if (setgid(getgid()) != 0) { if (setgid(getgid()) != 0) {
wlr_log(WLR_ERROR, "Unable to drop root"); wlr_log(WLR_ERROR, "Unable to drop root");
@ -217,20 +193,6 @@ static void drop_permissions(bool keep_caps) {
wlr_log(WLR_ERROR, "Root privileges can be restored."); wlr_log(WLR_ERROR, "Root privileges can be restored.");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#ifdef __linux__
if (keep_caps) {
// Drop every cap except CAP_SYS_PTRACE
cap_t caps = cap_init();
cap_value_t keep = CAP_SYS_PTRACE;
wlr_log(WLR_INFO, "Dropping extra capabilities");
if (cap_set_flag(caps, CAP_PERMITTED, 1, &keep, CAP_SET) ||
cap_set_flag(caps, CAP_EFFECTIVE, 1, &keep, CAP_SET) ||
cap_set_proc(caps)) {
wlr_log(WLR_ERROR, "Failed to drop extra capabilities");
exit(EXIT_FAILURE);
}
}
#endif
} }
void enable_debug_flag(const char *flag) { void enable_debug_flag(const char *flag) {
@ -347,7 +309,7 @@ int main(int argc, char **argv) {
wlr_log(WLR_ERROR, "Don't use options with the IPC client"); wlr_log(WLR_ERROR, "Don't use options with the IPC client");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
drop_permissions(false); drop_permissions();
char *socket_path = getenv("SWAYSOCK"); char *socket_path = getenv("SWAYSOCK");
if (!socket_path) { if (!socket_path) {
wlr_log(WLR_ERROR, "Unable to retrieve socket path"); wlr_log(WLR_ERROR, "Unable to retrieve socket path");
@ -358,34 +320,17 @@ int main(int argc, char **argv) {
return 0; return 0;
} }
executable_sanity_check();
bool suid = false;
if (!server_privileged_prepare(&server)) { if (!server_privileged_prepare(&server)) {
return 1; return 1;
} }
#if defined(__linux__) || defined(__FreeBSD__)
if (getuid() != geteuid() || getgid() != getegid()) {
#ifdef __linux__
// Retain capabilities after setuid()
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
wlr_log(WLR_ERROR, "Cannot keep caps after setuid()");
exit(EXIT_FAILURE);
}
#endif
suid = true;
}
#endif
log_kernel(); log_kernel();
log_distro(); log_distro();
detect_proprietary(); detect_proprietary();
detect_raspi(); detect_raspi();
#if defined(__linux__) || defined(__FreeBSD__) drop_permissions();
drop_permissions(suid);
#endif
// handle SIGTERM signals // handle SIGTERM signals
signal(SIGTERM, sig_handler); signal(SIGTERM, sig_handler);

View file

@ -164,7 +164,6 @@ sway_deps = [
cairo, cairo,
gdk_pixbuf, gdk_pixbuf,
jsonc, jsonc,
libcap,
libinput, libinput,
math, math,
pango, pango,

View file

@ -593,7 +593,7 @@ void container_update_representation(struct sway_container *con) {
} }
} }
size_t container_titlebar_height() { size_t container_titlebar_height(void) {
return config->font_height + TITLEBAR_V_PADDING * 2; return config->font_height + TITLEBAR_V_PADDING * 2;
} }

View file

@ -22,7 +22,7 @@ uint32_t parse_position(const char *position) {
} }
} }
struct swaybar_config *init_config() { struct swaybar_config *init_config(void) {
struct swaybar_config *config = calloc(1, sizeof(struct swaybar_config)); struct swaybar_config *config = calloc(1, sizeof(struct swaybar_config));
config->status_command = NULL; config->status_command = NULL;
config->pango_markup = false; config->pango_markup = false;

View file

@ -92,7 +92,7 @@ static int release_lock(void *data) {
return 0; return 0;
} }
void acquire_sleep_lock() { void acquire_sleep_lock(void) {
sd_bus_message *msg = NULL; sd_bus_message *msg = NULL;
sd_bus_error error = SD_BUS_ERROR_NULL; sd_bus_error error = SD_BUS_ERROR_NULL;
struct sd_bus *bus; struct sd_bus *bus;
@ -161,7 +161,7 @@ static int dbus_event(int fd, uint32_t mask, void *data) {
return 1; return 1;
} }
void setup_sleep_listener() { void setup_sleep_listener(void) {
struct sd_bus *bus; struct sd_bus *bus;
int ret = sd_bus_default_system(&bus); int ret = sd_bus_default_system(&bus);

View file

@ -32,7 +32,7 @@ void sway_terminate(int exit_code) {
exit(exit_code); exit(exit_code);
} }
static void daemonize() { static void daemonize(void) {
int fds[2]; int fds[2];
if (pipe(fds) != 0) { if (pipe(fds) != 0) {
wlr_log(WLR_ERROR, "Failed to pipe"); wlr_log(WLR_ERROR, "Failed to pipe");

View file

@ -11,7 +11,7 @@
#include "util.h" #include "util.h"
#include "wlr-layer-shell-unstable-v1-client-protocol.h" #include "wlr-layer-shell-unstable-v1-client-protocol.h"
static char *read_from_stdin() { static char *read_from_stdin(void) {
char *buffer = NULL; char *buffer = NULL;
while (!feof(stdin)) { while (!feof(stdin)) {
char *line = read_line(stdin); char *line = read_line(stdin);