faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sys: specify process context for dropping root

Browse source 
Similarly to enabling the syscall filter, specify what kind of chronyd
process is dropping the root privileges.
This commit is contained in:
Miroslav Lichvar 2020-10-05 18:10:35 +02:00
parent 545d2563ef
commit a96d288027
12 changed files with 29 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
main.c
View file

@ -625,7 +625,7 @@ int main
/* Drop root privileges if the specified user has a non-zero UID */ /* Drop root privileges if the specified user has a non-zero UID */
if (!geteuid() && (pw->pw_uid || pw->pw_gid)) if (!geteuid() && (pw->pw_uid || pw->pw_gid))
SYS_DropRoot(pw->pw_uid, pw->pw_gid); SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS);
REF_Initialise(); REF_Initialise();
SST_Initialise(); SST_Initialise();

2
nts_ke_server.c
View file

@ -646,7 +646,7 @@ run_helper(uid_t uid, gid_t gid, int scfilter_level)
LOG_SetMinSeverity(log_severity); LOG_SetMinSeverity(log_severity);
if (!geteuid() && (uid || gid)) if (!geteuid() && (uid || gid))
SYS_DropRoot(uid, gid); SYS_DropRoot(uid, gid, SYS_NTSKE_HELPER);
NKS_Initialise(); NKS_Initialise();

12
sys.c
View file

@ -97,16 +97,16 @@ SYS_Finalise(void)
/* ================================================== */ /* ================================================== */
void SYS_DropRoot(uid_t uid, gid_t gid) void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
{ {
#if defined(LINUX) && defined (FEAT_PRIVDROP) #if defined(LINUX) && defined (FEAT_PRIVDROP)
SYS_Linux_DropRoot(uid, gid, !null_driver); SYS_Linux_DropRoot(uid, gid, context, !null_driver);
#elif defined(SOLARIS) && defined(FEAT_PRIVDROP) #elif defined(SOLARIS) && defined(FEAT_PRIVDROP)
SYS_Solaris_DropRoot(uid, gid); SYS_Solaris_DropRoot(uid, gid, context);
#elif (defined(NETBSD) || defined(FREEBSD)) && defined(FEAT_PRIVDROP) #elif (defined(NETBSD) || defined(FREEBSD)) && defined(FEAT_PRIVDROP)
SYS_NetBSD_DropRoot(uid, gid); SYS_NetBSD_DropRoot(uid, gid, context);
#elif defined(MACOSX) && defined(FEAT_PRIVDROP) #elif defined(MACOSX) && defined(FEAT_PRIVDROP)
SYS_MacOSX_DropRoot(uid, gid); SYS_MacOSX_DropRoot(uid, gid, context);
#else #else
LOG_FATAL("dropping root privileges not supported"); LOG_FATAL("dropping root privileges not supported");
#endif #endif
@ -114,7 +114,7 @@ void SYS_DropRoot(uid_t uid, gid_t gid)
/* ================================================== */ /* ================================================== */
void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context) void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context)
{ {
#if defined(LINUX) && defined(FEAT_SCFILTER) #if defined(LINUX) && defined(FEAT_SCFILTER)
SYS_Linux_EnableSystemCallFilter(level, context); SYS_Linux_EnableSystemCallFilter(level, context);

10
sys.h
View file

@ -35,17 +35,17 @@ extern void SYS_Initialise(int clock_control);
/* Called at the end of the run to do final clean-up */ /* Called at the end of the run to do final clean-up */
extern void SYS_Finalise(void); extern void SYS_Finalise(void);
/* Drop root privileges to the specified user and group */
extern void SYS_DropRoot(uid_t uid, gid_t gid);
typedef enum { typedef enum {
SYS_MAIN_PROCESS, SYS_MAIN_PROCESS,
SYS_NTSKE_HELPER, SYS_NTSKE_HELPER,
} SYS_SystemCallContext; } SYS_ProcessContext;
/* Switch to the specified user and group in given context */
extern void SYS_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
/* Enable a system call filter to allow only system calls /* Enable a system call filter to allow only system calls
which chronyd normally needs after initialization */ which chronyd normally needs after initialization */
extern void SYS_EnableSystemCallFilter(int level, SYS_SystemCallContext context); extern void SYS_EnableSystemCallFilter(int level, SYS_ProcessContext context);
extern void SYS_SetScheduler(int SchedPriority); extern void SYS_SetScheduler(int SchedPriority);
extern void SYS_LockMemory(void); extern void SYS_LockMemory(void);

4
sys_linux.c
View file

@ -426,7 +426,7 @@ SYS_Linux_Finalise(void)
#ifdef FEAT_PRIVDROP #ifdef FEAT_PRIVDROP
void void
SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control) SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control)
{ {
char cap_text[256]; char cap_text[256];
cap_t cap; cap_t cap;
@ -480,7 +480,7 @@ void check_seccomp_applicability(void)
/* ================================================== */ /* ================================================== */
void void
SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context) SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
{ {
const int syscalls[] = { const int syscalls[] = {
/* Clock */ /* Clock */

4
sys_linux.h
View file

@ -33,9 +33,9 @@ extern void SYS_Linux_Initialise(void);
extern void SYS_Linux_Finalise(void); extern void SYS_Linux_Finalise(void);
extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control); extern void SYS_Linux_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context, int clock_control);
extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context); extern void SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context);
extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor); extern int SYS_Linux_CheckKernelVersion(int req_major, int req_minor);

2
sys_macosx.c
View file

@ -415,7 +415,7 @@ SYS_MacOSX_SetScheduler(int SchedPriority)
/* ================================================== */ /* ================================================== */
#ifdef FEAT_PRIVDROP #ifdef FEAT_PRIVDROP
void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid) void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
{ {
PRV_StartHelper(); PRV_StartHelper();

4
sys_macosx.h
View file

@ -30,8 +30,10 @@
#ifndef GOT_SYS_MACOSX_H #ifndef GOT_SYS_MACOSX_H
#define GOT_SYS_MACOSX_H #define GOT_SYS_MACOSX_H
#include "sys.h"
void SYS_MacOSX_SetScheduler(int SchedPriority); void SYS_MacOSX_SetScheduler(int SchedPriority);
void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid); void SYS_MacOSX_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
void SYS_MacOSX_Initialise(void); void SYS_MacOSX_Initialise(void);
void SYS_MacOSX_Finalise(void); void SYS_MacOSX_Finalise(void);

2
sys_netbsd.c
View file

@ -131,7 +131,7 @@ SYS_NetBSD_Finalise(void)
#ifdef FEAT_PRIVDROP #ifdef FEAT_PRIVDROP
void void
SYS_NetBSD_DropRoot(uid_t uid, gid_t gid) SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
{ {
#ifdef NETBSD #ifdef NETBSD
int fd; int fd;

4
sys_netbsd.h
View file

@ -28,10 +28,12 @@
#ifndef GOT_SYS_NETBSD_H #ifndef GOT_SYS_NETBSD_H
#define GOT_SYS_NETBSD_H #define GOT_SYS_NETBSD_H
#include "sys.h"
void SYS_NetBSD_Initialise(void); void SYS_NetBSD_Initialise(void);
void SYS_NetBSD_Finalise(void); void SYS_NetBSD_Finalise(void);
void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid); void SYS_NetBSD_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
#endif #endif

2
sys_solaris.c
View file

@ -55,7 +55,7 @@ SYS_Solaris_Finalise(void)
#ifdef FEAT_PRIVDROP #ifdef FEAT_PRIVDROP
void void
SYS_Solaris_DropRoot(uid_t uid, gid_t gid) SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
{ {
PRV_StartHelper(); PRV_StartHelper();
UTI_DropRoot(uid, gid); UTI_DropRoot(uid, gid);

4
sys_solaris.h
View file

@ -27,10 +27,12 @@
#ifndef GOT_SYS_SOLARIS_H #ifndef GOT_SYS_SOLARIS_H
#define GOT_SYS_SOLARIS_H #define GOT_SYS_SOLARIS_H
#include "sys.h"
void SYS_Solaris_Initialise(void); void SYS_Solaris_Initialise(void);
void SYS_Solaris_Finalise(void); void SYS_Solaris_Finalise(void);
void SYS_Solaris_DropRoot(uid_t uid, gid_t gid); void SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context);
#endif #endif