Add capabilities support on Linux

Fixes davmac314#398

.github/workflows/meson_ci.yml

@@ -61,12 +61,12 @@ jobs:
       if: ${{ matrix.arch == 'amd64' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install g++ meson m4 -y
+        DEBIAN_FRONTEND=noninteractive apt-get install g++ meson m4 libcap-dev -y
     - name: Getting depends (i386)
       if: ${{ matrix.arch == 'i386' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install meson m4:i386 g++:i386 -y
+        DEBIAN_FRONTEND=noninteractive apt-get install meson m4:i386 g++:i386 libcap-dev:i386 -y
     - name: Setup
       run: meson setup -Dunit-tests=true -Digr-tests=true dirbuild
     - name: Build
@@ -130,7 +130,7 @@ jobs:
     - name: Getting depends
       run: |
         apk update
-        apk add meson g++ m4
+        apk add meson g++ m4 libcap-dev
     - name: Setup
       run: meson setup -Dunit-tests=true -Digr-tests=true dirbuild
     - name: Build

.github/workflows/regular_ci.yml

@@ -52,12 +52,12 @@ jobs:
       if: ${{ matrix.arch == 'amd64' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install g++ make m4 file -y
+        DEBIAN_FRONTEND=noninteractive apt-get install g++ make m4 libcap-dev file -y
     - name: Getting depends (i386)
       if: ${{ matrix.arch == 'i386' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install gcc:i386 make:i386 m4:i386 g++:i386 file -y
+        DEBIAN_FRONTEND=noninteractive apt-get install gcc:i386 make:i386 m4:i386 g++:i386 libcap-dev:i386 file -y
     - name: Print g++ architecture
       run: g++ -dumpmachine
     - name: Build
@@ -123,7 +123,7 @@ jobs:
     - name: Getting depends
       run: |
         apk update
-        apk add make g++ m4 file
+        apk add make g++ m4 file libcap-dev
     - name: Print g++ architecture
       run: g++ -dumpmachine
     - name: Build

build/Makefile

@@ -15,6 +15,7 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
 		DEFAULT_START_TIMEOUT=$(DEFAULT_START_TIMEOUT) \
 		DEFAULT_STOP_TIMEOUT=$(DEFAULT_STOP_TIMEOUT) \
 		$(if $(SUPPORT_CGROUPS),SUPPORT_CGROUPS=$(SUPPORT_CGROUPS),) \
+		$(if $(SUPPORT_CAPABILITIES),SUPPORT_CAPABILITIES=$(SUPPORT_CAPABILITIES),) \
 		$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
 		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
 

build/mconfig.mesontemplate

@@ -8,6 +8,7 @@
 #mesondefine USE_UTMPX
 #mesondefine USE_INITGROUPS
 #mesondefine SUPPORT_CGROUPS
+#mesondefine SUPPORT_CAPABILITIES
 #mesondefine DEFAULT_AUTO_RESTART
 #mesondefine DEFAULT_START_TIMEOUT
 #mesondefine DEFAULT_STOP_TIMEOUT

build/tools/mconfig-gen.cc

@@ -77,6 +77,9 @@ int main(int argc, char **argv)
     if (vars.find("SUPPORT_CGROUPS") != vars.end()) {
         cout << "#define SUPPORT_CGROUPS " << vars["SUPPORT_CGROUPS"] << "\n";
     }
+    if (vars.find("SUPPORT_CAPABILITIES") != vars.end()) {
+        cout << "#define SUPPORT_CAPABILITIES " << vars["SUPPORT_CAPABILITIES"] << "\n";
+    }
     if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
         cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
     }

configs/mconfig.Linux

@@ -38,6 +38,7 @@ TEST_LDFLAGS=$(TEST_LDFLAGS_BASE) $(TEST_CXXFLAGS)
 # Features.
 
 SUPPORT_CGROUPS=1
+SUPPORT_CAPABILITIES=1
 
 
 # Service defaults.

configs/mconfig.Linux.sh

@@ -111,6 +111,7 @@ FEATURE_SETTINGS=$(
   echo "# Feature settings"
   echo ""
   echo "SUPPORT_CGROUPS=1"
+  echo "SUPPORT_CAPABILITIES=1"
 )
 
 SERVICE_DEFAULTS=$(

configure

@@ -208,6 +208,7 @@ for var in PREFIX \
            SHUTDOWN_PREFIX \
            BUILD_SHUTDOWN \
            SUPPORT_CGROUPS \
+           SUPPORT_CAPABILITIES \
            USE_UTMPX \
            USE_INITGROUPS \
            SYSCONTROLSOCKET \
@@ -239,6 +240,8 @@ for arg in "$@"; do
         --disable-shutdown|--enable-shutdown=no) BUILD_SHUTDOWN=no ;;
         --enable-cgroups|--enable-cgroups=yes) SUPPORT_CGROUPS=1 ;;
         --disable-cgroups|--enable-cgroups=no) SUPPORT_CGROUPS=0 ;;
+        --enable-capabilities|--enable-capabilities=yes) SUPPORT_CAPABILITIES=1 ;;
+        --disable-capabilities|--enable-capabilities=no) SUPPORT_CAPABILITIES=0 ;;
         --enable-utmpx|--enable-utmpx=yes) USE_UTMPX=1 ;;
         --disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
         --enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
@@ -278,10 +281,12 @@ done
 if [ "$PLATFORM" = "Linux" ]; then
     : "${BUILD_SHUTDOWN:="yes"}"
     : "${SUPPORT_CGROUPS:="1"}"
+    : "${SUPPORT_CAPABILITIES:="1"}"
     : "${SYSCONTROLSOCKET:="/run/dinitctl"}"
 else
     : "${BUILD_SHUTDOWN:="no"}"
     : "${SUPPORT_CGROUPS:="0"}"
+    : "${SUPPORT_CAPABILITIES:="0"}"
     : "${SYSCONTROLSOCKET:="/var/run/dinitctl"}"
 fi
 
@@ -467,6 +472,7 @@ STRIPOPTS=$STRIPOPTS
 # Feature settings
 SUPPORT_CGROUPS=$SUPPORT_CGROUPS
 USE_INITGROUPS=$USE_INITGROUPS
+SUPPORT_CAPABILITIES=$SUPPORT_CAPABILITIES
 
 # Optional settings
 SHUTDOWN_PREFIX=${SHUTDOWN_PREFIX:-}

doc/manpages/dinit-service.5.m4

@@ -557,6 +557,29 @@ The named cgroup must already exist prior to the service starting; it will not b
 \fBdinit\fR.
 .IP
 This setting is only available if \fBdinit\fR was built with cgroups support.
+.TP
+\fBcapabilities\fR = \fIiab\fR
+.TQ
+\fBcapabilities\fR += \fIiab-addendum\fR
+Run the service process(es) with capabilities specified by \fIiab\fR (see \fBcapabilities\fR(7)).
+The syntax follows the regular capabilities IAB format, with comma-separated capabilities.
+The append form of this setting will add to the previous IAB string, automatically adding
+a comma to the previous string, so you do not need to add it manually.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
+.TP
+\fBsecure\-bits\fR = \fIsecbits\fR
+.TQ
+\fBsecure\-bits\fR += \fIsecbits-addendum\fR
+This is a companion option to \fBcapabilities\fR, specifying the secure bits for the
+process.
+Here, it is a space-separated list of keywords. The allowed keywords are \fIkeep-caps\fR,
+\fIno-setuid-fixup\fR, \fInoroot\fR, and variants of the three with the \fI-locked\fR
+suffix.
+The append form can be used to add more secure bits, with everything being ORed together
+at the end and used as an integer.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
 .\"
 .SS OPTIONS
 .\"
@@ -685,6 +708,13 @@ is suggested, i.e. every other service should either be a (possibly transitive)
 dependent of the service with this option set.
 .IP
 This option can be used for scripted and internal services only.
+.TP
+\fBno\-new\-privs\fR
+Normally, child processes can gain privileges that their parent did not have, such
+as setuid or setgid and file capabilities. This option can be specified to prevent
+the service from gaining such privileges.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
 .\"
 .SS RESOURCE LIMITS
 .\"

meson.build

@@ -31,6 +31,7 @@ igr_tests = get_option('igr-tests')
 fuzzer = get_option('fuzzer')
 man_pages = get_option('man-pages')
 support_cgroups = get_option('support-cgroups')
+support_capabilities = get_option('support-capabilities')
 use_utmpx = get_option('use-utmpx')
 use_initgroups = get_option('use-initgroups')
 default_auto_restart = get_option('default-auto-restart')
@@ -56,6 +57,9 @@ if platform == 'freebsd' and compiler.has_link_argument('-lrt')
     add_project_link_arguments('-lrt', language : 'cpp')
 endif
 
+## Dependencies
+libcap_dep = dependency('libcap', required: support_capabilities)
+
 ## Prepare mconfig.h
 mconfig_data.set_quoted('DINIT_VERSION', version)
 mconfig_data.set_quoted('SYSCONTROLSOCKET', dinit_control_socket_path)
@@ -65,9 +69,8 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
-if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
-    mconfig_data.set('SUPPORT_CGROUPS', '1') 
-endif
+mconfig_data.set10('SUPPORT_CGROUPS', support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled())
+mconfig_data.set10('SUPPORT_CAPABILITIES', libcap_dep.found() and not support_capabilities.disabled())
 if use_utmpx.enabled() or (use_utmpx.auto() and compiler.has_header_symbol('utmpx.h', '_PATH_UTMPX') and
         compiler.has_header_symbol('utmpx.h', '_PATH_WTMPX'))
     mconfig_data.set('USE_UTMPX', '1')

meson_options.txt

@@ -83,7 +83,13 @@ option(
     'support-cgroups',
     type : 'feature',
     value : 'auto',
-    description : 'Enable Cgroups supprot.'
+    description : 'Enable Cgroups support.'
+)
+option(
+    'support-capabilities',
+    type : 'feature',
+    value : 'auto',
+    description : 'Enable capabilities support.'
 )
 option(
     'build-shutdown',

src/Makefile

@@ -9,6 +9,10 @@ ifeq ($(BUILD_SHUTDOWN),yes)
   SHUTDOWN=$(SHUTDOWN_PREFIX)shutdown
 endif
 
+ifeq ($(SUPPORT_CAPABILITIES),1)
+  ALL_LDFLAGS+=-lcap
+endif
+
 dinit_objects = dinit.o load-service.o service.o proc-service.o baseproc-service.o control.o dinit-log.o \
 		dinit-main.o run-child-proc.o options-processing.o dinit-env.o settings.o
 

src/baseproc-service.cc

@@ -260,6 +260,11 @@ bool base_process_service::start_ps_process(const std::vector<const char *> &cmd
             #if SUPPORT_CGROUPS
             run_params.run_in_cgroup = run_in_cgroup.c_str();
             #endif
+            #if SUPPORT_CAPABILITIES
+            run_params.cap_iab = cap_iab.get();
+            run_params.secbits = secbits;
+            run_params.no_new_privs = onstart_flags.no_new_privs;
+            #endif
             run_child_proc(run_params);
         }
         else {