2016-04-12 04:00:33 -05:00
|
|
|
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
|
|
|
|
/*
|
|
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Place for simple security-related code.
|
|
|
|
*/
|
|
|
|
|
2020-04-18 03:39:50 -05:00
|
|
|
#pragma once
|
|
|
|
|
2020-12-01 05:13:44 -06:00
|
|
|
#ifdef __linux__
|
2020-11-25 08:39:22 -06:00
|
|
|
#include <sys/capability.h>
|
2020-12-01 05:13:44 -06:00
|
|
|
#endif
|
2016-04-12 04:00:33 -05:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
|
|
|
#include <pwd.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
|
2021-04-16 09:40:28 -05:00
|
|
|
#ifndef COOL_USER_ID
|
|
|
|
# error "include config.h for user id";
|
|
|
|
#endif
|
2016-04-12 04:00:33 -05:00
|
|
|
|
2017-02-06 16:26:38 -06:00
|
|
|
#ifndef KIT_IN_PROCESS
|
2020-12-18 08:47:51 -06:00
|
|
|
inline int hasUID(const char *userId)
|
|
|
|
{
|
|
|
|
struct passwd *pw = getpwuid(getuid());
|
|
|
|
if (pw && pw->pw_name && !strcmp(pw->pw_name, userId))
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-01-09 13:18:51 -06:00
|
|
|
inline int isInContainer()
|
|
|
|
{
|
|
|
|
#ifdef __linux__
|
|
|
|
FILE *cgroup;
|
|
|
|
char line[80];
|
|
|
|
const char *docker = ":/docker/";
|
|
|
|
cgroup = fopen("/proc/self/cgroup", "r");
|
|
|
|
if(!cgroup)
|
|
|
|
{
|
|
|
|
fprintf(stderr, "Error: cannot open /proc/self/cgroup\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
while (fgets(line, sizeof(line), cgroup) != NULL)
|
|
|
|
{
|
|
|
|
if (strstr(line, docker) != NULL)
|
|
|
|
{
|
|
|
|
fclose(cgroup);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
fclose(cgroup);
|
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-12-18 08:47:51 -06:00
|
|
|
inline int hasCorrectUID(const char *appName)
|
2016-04-12 04:00:33 -05:00
|
|
|
{
|
|
|
|
#if ENABLE_DEBUG
|
|
|
|
(void)appName;
|
|
|
|
return 1; // insecure but easy to use.
|
|
|
|
#else
|
2021-04-16 09:40:28 -05:00
|
|
|
if (hasUID(COOL_USER_ID))
|
2016-04-12 04:00:33 -05:00
|
|
|
return 1;
|
|
|
|
else {
|
2021-04-16 09:40:28 -05:00
|
|
|
fprintf(stderr, "Security: %s incorrect user-name, other than '" COOL_USER_ID "'\n", appName);
|
2020-04-23 13:01:04 -05:00
|
|
|
return 0;
|
2016-04-12 04:00:33 -05:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
2020-11-25 08:39:22 -06:00
|
|
|
|
|
|
|
/** Return 0 if no capability is set on the current binary. Positive number gives the bitfield of caps that are set, negative an error. */
|
2020-12-18 08:47:51 -06:00
|
|
|
inline int hasAnyCapability()
|
2020-11-25 08:39:22 -06:00
|
|
|
{
|
2020-12-01 05:13:44 -06:00
|
|
|
#ifdef __linux__
|
2020-11-25 08:39:22 -06:00
|
|
|
cap_t caps = cap_get_proc();
|
|
|
|
if (caps == nullptr)
|
|
|
|
{
|
|
|
|
fprintf(stderr, "Error: cap_get_proc() failed.\n");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
cap_t caps_none = cap_init();
|
2023-06-15 03:46:49 -05:00
|
|
|
if (caps_none == nullptr)
|
2020-11-25 08:39:22 -06:00
|
|
|
{
|
|
|
|
fprintf(stderr, "Error: cap_init() failed.\n");
|
|
|
|
cap_free(caps);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// 0 = caps of this process equal to no caps
|
|
|
|
int result = cap_compare(caps, caps_none);
|
|
|
|
|
|
|
|
cap_free(caps_none);
|
|
|
|
cap_free(caps);
|
|
|
|
|
|
|
|
return result;
|
2020-12-01 05:13:44 -06:00
|
|
|
#else
|
|
|
|
return 0;
|
|
|
|
#endif
|
2020-11-25 08:39:22 -06:00
|
|
|
}
|
2017-02-06 16:26:38 -06:00
|
|
|
#endif
|
2016-04-12 04:00:33 -05:00
|
|
|
|
|
|
|
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|