From 82acc16141c63f979c67da881b9c8a05b01fb921 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomi=20Lepp=C3=A4nen?= Date: Tue, 23 Mar 2021 13:15:26 +0200 Subject: [PATCH] [mapplauncherd] Drop capabilities before launching process. Contributes to JB#53620 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomi Leppänen --- rpm/mapplauncherd.spec | 1 + src/launcherlib/CMakeLists.txt | 2 +- src/launcherlib/daemon.cpp | 19 +++++++++++++++++++ src/launcherlib/daemon.h | 4 ++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/rpm/mapplauncherd.spec b/rpm/mapplauncherd.spec index 87b7e3b..6bf24d4 100644 --- a/rpm/mapplauncherd.spec +++ b/rpm/mapplauncherd.spec @@ -14,6 +14,7 @@ Requires(pre): sailfish-setup BuildRequires: pkgconfig(libshadowutils) BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(dbus-1) +BuildRequires: pkgconfig(libcap) BuildRequires: cmake Provides: meegotouch-applauncherd > 3.0.3 Obsoletes: meegotouch-applauncherd <= 3.0.3 diff --git a/src/launcherlib/CMakeLists.txt b/src/launcherlib/CMakeLists.txt index 50f1efe..2e32d69 100644 --- a/src/launcherlib/CMakeLists.txt +++ b/src/launcherlib/CMakeLists.txt @@ -16,7 +16,7 @@ set(HEADERS appdata.h booster.h connection.h daemon.h logger.h launcherlib.h # Set libraries to be linked. Shared libraries to be preloaded are not linked in anymore, # but dlopen():ed and listed in src/launcher/preload.h instead. -link_libraries(${LIBDL} "-L/lib -lsystemd") +link_libraries(${LIBDL} "-L/lib -lsystemd -lcap") # Set executable add_library(applauncherd MODULE ${SRC} ${MOC_SRC}) diff --git a/src/launcherlib/daemon.cpp b/src/launcherlib/daemon.cpp index a1c0edf..13fefdf 100644 --- a/src/launcherlib/daemon.cpp +++ b/src/launcherlib/daemon.cpp @@ -1,6 +1,8 @@ /*************************************************************************** ** ** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies). +** Copyright (C) 2013 - 2021 Jolla Ltd. +** Copyright (C) 2020 Open Mobile Platform LLC. ** All rights reserved. ** Contact: Nokia Corporation (directui@nokia.com) ** @@ -26,6 +28,7 @@ #include #include +#include #include #include #include @@ -346,6 +349,19 @@ void Daemon::loadSingleInstancePlugin() } } +void Daemon::dropCapabilities() +{ + cap_t caps = cap_init(); + + if (!caps || cap_set_proc(caps) == -1) { + Logger::logError("Daemon: Failed to drop capabilities"); + } + + if (caps) { + cap_free(caps); + } +} + void Daemon::forkBooster(int sleepTime) { if (!m_booster) { @@ -413,6 +429,9 @@ void Daemon::forkBooster(int sleepTime) m_instance = NULL; + // No need for capabilities anymore + dropCapabilities(); + // Run the current Booster int retval = m_booster->run(m_socketManager); diff --git a/src/launcherlib/daemon.h b/src/launcherlib/daemon.h index 2c969ee..0f7c4db 100644 --- a/src/launcherlib/daemon.h +++ b/src/launcherlib/daemon.h @@ -1,6 +1,7 @@ /*************************************************************************** ** ** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies). +** Copyright (C) 2013 - 2021 Jolla Ltd. ** All rights reserved. ** Contact: Nokia Corporation (directui@nokia.com) ** @@ -205,6 +206,9 @@ private: //! True if systemd needs to be notified bool m_notifySystemd; + //! Drop capabilities needed for initialization + static void dropCapabilities(); + //! Booster instance Booster * m_booster;