diff --git a/main.c b/main.c index e8bf122..b2149b1 100644 --- a/main.c +++ b/main.c @@ -625,7 +625,7 @@ int main /* Drop root privileges if the specified user has a non-zero UID */ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) - SYS_DropRoot(pw->pw_uid, pw->pw_gid); + SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); REF_Initialise(); SST_Initialise(); diff --git a/nts_ke_server.c b/nts_ke_server.c index 2483d4b..32b3cdb 100644 --- a/nts_ke_server.c +++ b/nts_ke_server.c @@ -646,7 +646,7 @@ run_helper(uid_t uid, gid_t gid, int scfilter_level) LOG_SetMinSeverity(log_severity); if (!geteuid() && (uid || gid)) - SYS_DropRoot(uid, gid); + SYS_DropRoot(uid, gid, SYS_NTSKE_HELPER); NKS_Initialise(); diff --git a/sys.c b/sys.c index 2088c09..6359c33 100644 --- a/sys.c +++ b/sys.c @@ -97,16 +97,16 @@ SYS_Finalise(void) /* ================================================== */ -void SYS_DropRoot(uid_t uid, gid_t gid) +void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context) { #if defined(LINUX) && defined (FEAT_PRIVDROP) - SYS_Linux_DropRoot(uid, gid, !null_driver); + SYS_Linux_DropRoot(uid, gid, context, !null_driver); #elif defined(SOLARIS) && defined(FEAT_PRIVDROP) - SYS_Solaris_DropRoot(uid, gid); + SYS_Solaris_DropRoot(uid, gid, context); #elif (defined(NETBSD) || defined(FREEBSD)) && defined(FEAT_PRIVDROP) - SYS_NetBSD_DropRoot(uid, gid); + SYS_NetBSD_DropRoot(uid, gid, context); #elif defined(MACOSX) && defined(FEAT_PRIVDROP) - SYS_MacOSX_DropRoot(uid, gid); + SYS_MacOSX_DropRoot(uid, gid, context); #else LOG_FATAL("dropping root privileges not supported"); #endif @@ -114,7 +114,7 @@ void SYS_DropRoot(uid_t uid, gid_t gid) /* ================================================== */ -void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context) +void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context) { #if defined(LINUX) && defined(FEAT_SCFILTER) SYS_Linux_EnableSystemCallFilter(level, context); diff --git a/sys.h b/sys.h index 6c3f8f8..9272daf 100644 --- a/sys.h +++ b/sys.h @@ -35,17 +35,17 @@ extern void SYS_Initialise(int clock_control); /* Called at the end of the run to do final clean-up */ extern void SYS_Finalise(void); -/* Drop root privileges to the specified user and group */ -extern void SYS_DropRoot(uid_t uid, gid_t gid); - typedef enum { SYS_MAIN_PROCESS, SYS_NTSKE_HELPER, -} SYS_SystemCallContext; +} SYS_ProcessContext; + +/* Switch to the specified user and group in given context */ +extern void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context); /* Enable a system call filter to allow only system calls which chronyd normally needs after initialization */ -extern void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context); +extern void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context); extern void SYS_SetScheduler(int SchedPriority); extern void SYS_LockMemory(void); diff --git a/sys_linux.c b/sys_linux.c index 456a332..2f7fa9f 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -426,7 +426,7 @@ SYS_Linux_Finalise(void) #ifdef FEAT_PRIVDROP void -SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control) +SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control) { char cap_text[256]; cap_t cap; @@ -480,7 +480,7 @@ void check_seccomp_applicability(void) /* ================================================== */ void -SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context) +SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) { const int syscalls[] = { /* Clock */ diff --git a/sys_linux.h b/sys_linux.h index 799049d..b09ec31 100644 --- a/sys_linux.h +++ b/sys_linux.h @@ -33,9 +33,9 @@ extern void SYS_Linux_Initialise(void); extern void SYS_Linux_Finalise(void); -extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control); +extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control); -extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context); +extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context); extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor); diff --git a/sys_macosx.c b/sys_macosx.c index 68f36ef..eb7297d 100644 --- a/sys_macosx.c +++ b/sys_macosx.c @@ -415,7 +415,7 @@ SYS_MacOSX_SetScheduler(int SchedPriority) /* ================================================== */ #ifdef FEAT_PRIVDROP -void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid) +void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context) { PRV_StartHelper(); diff --git a/sys_macosx.h b/sys_macosx.h index 5555616..09f0beb 100644 --- a/sys_macosx.h +++ b/sys_macosx.h @@ -30,8 +30,10 @@ #ifndef GOT_SYS_MACOSX_H #define GOT_SYS_MACOSX_H +#include "sys.h" + void SYS_MacOSX_SetScheduler(int SchedPriority); -void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid); +void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context); void SYS_MacOSX_Initialise(void); void SYS_MacOSX_Finalise(void); diff --git a/sys_netbsd.c b/sys_netbsd.c index 840d6a5..350f569 100644 --- a/sys_netbsd.c +++ b/sys_netbsd.c @@ -131,7 +131,7 @@ SYS_NetBSD_Finalise(void) #ifdef FEAT_PRIVDROP void -SYS_NetBSD_DropRoot(uid_t uid, gid_t gid) +SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context) { #ifdef NETBSD int fd; diff --git a/sys_netbsd.h b/sys_netbsd.h index 052f5b7..756bc8a 100644 --- a/sys_netbsd.h +++ b/sys_netbsd.h @@ -28,10 +28,12 @@ #ifndef GOT_SYS_NETBSD_H #define GOT_SYS_NETBSD_H +#include "sys.h" + void SYS_NetBSD_Initialise(void); void SYS_NetBSD_Finalise(void); -void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid); +void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context); #endif diff --git a/sys_solaris.c b/sys_solaris.c index 21197b9..9585100 100644 --- a/sys_solaris.c +++ b/sys_solaris.c @@ -55,7 +55,7 @@ SYS_Solaris_Finalise(void) #ifdef FEAT_PRIVDROP void -SYS_Solaris_DropRoot(uid_t uid, gid_t gid) +SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context) { PRV_StartHelper(); UTI_DropRoot(uid, gid); diff --git a/sys_solaris.h b/sys_solaris.h index 46015ba..5979232 100644 --- a/sys_solaris.h +++ b/sys_solaris.h @@ -27,10 +27,12 @@ #ifndef GOT_SYS_SOLARIS_H #define GOT_SYS_SOLARIS_H +#include "sys.h" + void SYS_Solaris_Initialise(void); void SYS_Solaris_Finalise(void); -void SYS_Solaris_DropRoot(uid_t uid, gid_t gid); +void SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context); #endif