From 448627953cde2f7b3b138f53f4f2c62f0d48b726 Mon Sep 17 00:00:00 2001 From: Marc Fournier Date: Tue, 17 May 2016 07:36:34 +0200 Subject: [PATCH] check_capability: explicitly target recent linux implementations There are several, incompatible, capabilities implementations, all exposed through ``. Currently only Linux's V3 function and capability sets are supported. This patch guards against using Linux-specific functions & capabilities on other implementations, while structring the code to allow adding support for them. --- src/ceph.c | 2 +- src/daemon/common.c | 8 +++++++- src/dns.c | 2 +- src/exec.c | 2 +- src/iptables.c | 2 +- src/ping.c | 2 +- src/turbostat.c | 6 +++--- 7 files changed, 15 insertions(+), 9 deletions(-) diff --git a/src/ceph.c b/src/ceph.c index e9bb960d..8cda764f 100644 --- a/src/ceph.c +++ b/src/ceph.c @@ -1577,7 +1577,7 @@ static int ceph_init(void) { int ret; -#ifdef HAVE_SYS_CAPABILITY_H +#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_DAC_OVERRIDE) if (check_capability (CAP_DAC_OVERRIDE) != 0) { if (getuid () == 0) diff --git a/src/daemon/common.c b/src/daemon/common.c index 3e2db15a..76561916 100644 --- a/src/daemon/common.c +++ b/src/daemon/common.c @@ -1676,6 +1676,7 @@ void strarray_free (char **array, size_t array_len) /* {{{ */ #ifdef HAVE_SYS_CAPABILITY_H int check_capability (int capability) /* {{{ */ { +#ifdef _LINUX_CAPABILITY_VERSION_3 struct __user_cap_header_struct cap_header_data; cap_user_header_t cap_header = &cap_header_data; struct __user_cap_data_struct cap_data_data; @@ -1693,5 +1694,10 @@ int check_capability (int capability) /* {{{ */ return (-1); else return (0); +#else + WARNING ("check_capability: unsupported capability implementation. " + "Some plugin(s) may require elevated privileges to work properly."); + return (0); +#endif /* _LINUX_CAPABILITY_VERSION_3 */ } /* }}} int check_capability */ -#endif +#endif /* HAVE_SYS_CAPABILITY_H */ diff --git a/src/dns.c b/src/dns.c index be6d0dcb..53128396 100644 --- a/src/dns.c +++ b/src/dns.c @@ -351,7 +351,7 @@ static int dns_init (void) listen_thread_init = 1; -#ifdef HAVE_SYS_CAPABILITY_H +#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW) if (check_capability (CAP_NET_RAW) != 0) { if (getuid () == 0) diff --git a/src/exec.c b/src/exec.c index c51465b8..1a14293e 100644 --- a/src/exec.c +++ b/src/exec.c @@ -810,7 +810,7 @@ static int exec_init (void) /* {{{ */ sigaction (SIGCHLD, &sa, NULL); -#ifdef HAVE_SYS_CAPABILITY_H +#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_SETUID) && defined(CAP_SETGID) if ((check_capability (CAP_SETUID) != 0) || (check_capability (CAP_SETGID) != 0)) { diff --git a/src/iptables.c b/src/iptables.c index 66dbab7f..c0854b3f 100644 --- a/src/iptables.c +++ b/src/iptables.c @@ -505,7 +505,7 @@ static int iptables_shutdown (void) static int iptables_init (void) { -#ifdef HAVE_SYS_CAPABILITY_H +#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_ADMIN) if (check_capability (CAP_NET_ADMIN) != 0) { if (getuid () == 0) diff --git a/src/ping.c b/src/ping.c index 9b5d5ca5..7b28ed37 100644 --- a/src/ping.c +++ b/src/ping.c @@ -452,7 +452,7 @@ static int ping_init (void) /* {{{ */ "Will use a timeout of %gs.", ping_timeout); } -#ifdef HAVE_SYS_CAPABILITY_H +#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW) if (check_capability (CAP_NET_RAW) != 0) { if (getuid () == 0) diff --git a/src/turbostat.c b/src/turbostat.c index 6e0405d0..a1faac48 100644 --- a/src/turbostat.c +++ b/src/turbostat.c @@ -1480,13 +1480,13 @@ check_permissions(void) if (getuid() == 0) { /* We have everything we need */ return 0; -#ifndef HAVE_SYS_CAPABILITY_H +#if !defined(HAVE_SYS_CAPABILITY_H) && !defined(CAP_SYS_RAWIO) } else { ERROR("turbostat plugin: Initialization failed: this plugin " "requires collectd to run as root"); return -1; } -#else /* HAVE_SYS_CAPABILITY_H */ +#else /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */ } if (check_capability(CAP_SYS_RAWIO) != 0) { @@ -1511,7 +1511,7 @@ check_permissions(void) "collectd a special capability (CAP_SYS_RAWIO) and read " "access to /dev/cpu/*/msr (see previous warnings)"); return ret; -#endif /* HAVE_SYS_CAPABILITY_H */ +#endif /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */ } static int -- 2.11.0