1 Index: src/start-stop-daemon.c
2 ===================================================================
3 --- src/start-stop-daemon.c (wersja 10357)
4 +++ src/start-stop-daemon.c (kopia robocza)
9 +#if HAVE_SYS_CAPABILITY_H
10 +#include <sys/prctl.h>
11 +#include <sys/capability.h>
15 #include <sys/param.h>
16 #include <sys/pstat.h>
18 static const char *schedule_str = NULL;
19 static const char *progname = "";
20 static int nicelevel = 0;
21 +static char *caplist = NULL;
23 static struct stat exec_stat;
26 " -n|--name <process-name> stop processes with this name\n"
27 " -s|--signal <signal> signal to send (default TERM)\n"
28 " -a|--startas <pathname> program to start (default is <executable>)\n"
29 +" -D|--dropcap <capbilities> drop theses capabilities\n"
30 " -C|--chdir <directory> Change to <directory>(default is /)\n"
31 " -N|--nicelevel <incr> add incr to the process's nice level\n"
32 " -b|--background force the process to detach\n"
37 +#ifdef HAVE_SYS_CAPABILITY_H
39 +remove_capabilities(char *capstr) {
41 + char *savedptr, *ptr;
44 + caps = cap_get_proc();
46 + fatal("Unable to retrieve my capabilities");
49 + ptr = strtok_r(capstr, ",", &savedptr);
51 + if (cap_from_name(ptr, &capval) != 0) {
53 + fatal("Unable to parse this capability : \"%s\"", ptr);
56 + if (prctl(PR_CAPBSET_DROP, capval, 0, 0) != 0) {
57 + fatal("Unable to drop this capability: %s", ptr);
60 + if (cap_set_flag(caps, CAP_INHERITABLE, 1, (cap_value_t *)&capval, CAP_CLEAR) != 0) {
61 + fatal("Unable to clear the capability %s", ptr);
64 + ptr = strtok_r(NULL, ",", &savedptr);
67 + if (cap_set_proc(caps) != 0) {
68 + fatal("Unable to remove theses capabilities from the inherited set\n");
71 + if (cap_free(caps) == -1) {
72 + fatal("Cannot free the capability");
78 parse_options(int argc, char * const *argv)
80 static struct option longopts[] = {
82 { "user", 1, NULL, 'u'},
83 { "group", 1, NULL, 'g'},
84 { "chroot", 1, NULL, 'r'},
85 + { "dropcap", 1, NULL, 'D'},
86 { "verbose", 0, NULL, 'v'},
87 { "exec", 1, NULL, 'x'},
88 { "chuid", 1, NULL, 'c'},
93 - c = getopt_long(argc, argv, "HKSVa:n:op:qr:s:tu:vx:c:N:bmR:g:d:",
94 + c = getopt_long(argc, argv, "HKSVa:n:op:qr:s:tu:vx:c:N:bmR:g:d:D",
99 case 'r': /* --chroot /new/root */
102 + case 'D': /* --dropcap cap_net_raw,cap_mac_admin */
103 +#ifdef HAVE_SYS_CAPABILITY_H
106 + badusage("Capabilities are not supported on your OS");
109 case 'N': /* --nice */
110 nicelevel = atoi(optarg);
112 @@ -1298,6 +1353,13 @@
117 +#ifdef HAVE_SYS_CAPABILITY_H
119 + remove_capabilities(caplist);
123 execv(startas, argv);
124 fatal("Unable to start %s: %s", startas, strerror(errno));
126 Index: man/start-stop-daemon.8
127 ===================================================================
128 --- man/start-stop-daemon.8 (wersja 10357)
129 +++ man/start-stop-daemon.8 (kopia robocza)
131 before starting the process. Please note that the pidfile is also written
134 +.BR \-D ", " \-\-dropcap " \fIcapabilities1,capabilities2\fP"
135 +Drop theses capabilities separated by commas.
137 \fB\-d\fP|\fB\-\-chdir\fP \fIpath\fP
140 --- configure.ac~ 2009-05-14 23:25:58.000000000 +0200
141 +++ configure.ac 2009-05-14 23:26:55.909921728 +0200
143 DPKG_C_GCC_ATTRIBUTE(format...,format,[char *y, ...],[format(printf,1,2)],PRINTFFORMAT,[Define if printf-format argument lists a la GCC are available.]))
145 AC_CHECK_TYPE(ptrdiff_t,int)
146 -AC_CHECK_HEADERS([stddef.h])
147 +AC_CHECK_HEADERS([stddef.h sys/capability.h])
150 AC_SUBST(BASHSCRIPTS)
151 --- src/Makefile.am 2008-04-09 10:54:00.000000000 +0200
152 +++ src/Makefile.am 2009-05-14 23:33:27.764736146 +0200
154 consoletype_SOURCES = consoletype.c
156 start_stop_daemon_SOURCES = start-stop-daemon.c
157 +start_stop_daemon_LDADD = -lcap
159 fstab_decode_SOURCES = fstab-decode.c
160 --- rc.d/init.d/functions 2009-05-14 23:34:02.000000000 +0200
161 +++ rc.d/init.d/functions 2009-05-15 00:16:59.584273051 +0200
163 ${chdir:+--chdir "$chdir"} \
164 ${fork:+--background} \
165 ${waitname:+--name $waitname} \
166 + ${SERVICE_DROPCAPS:+--dropcap $SERVICE_DROPCAPS} \