[mapplauncherd] Drop capabilities before launching process. Contributes to JB#53620

Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
5 years ago · 82acc16141
parent 338e69d20f
commit 82acc16141
4 changed files with 25 additions and 1 deletions
--- a/rpm/mapplauncherd.spec
+++ b/rpm/mapplauncherd.spec
@ -14,6 +14,7 @@ Requires(pre):  sailfish-setup
 BuildRequires:  pkgconfig(libshadowutils)
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(dbus-1)
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  cmake
 Provides:   meegotouch-applauncherd > 3.0.3
 Obsoletes:   meegotouch-applauncherd <= 3.0.3
--- a/src/launcherlib/CMakeLists.txt
+++ b/src/launcherlib/CMakeLists.txt
@ -16,7 +16,7 @@ set(HEADERS appdata.h booster.h connection.h daemon.h logger.h launcherlib.h

 # Set libraries to be linked. Shared libraries to be preloaded are not linked in anymore,
 # but dlopen():ed and listed in src/launcher/preload.h instead.
-link_libraries(${LIBDL} "-L/lib -lsystemd")
+link_libraries(${LIBDL} "-L/lib -lsystemd -lcap")

 # Set executable
 add_library(applauncherd MODULE ${SRC} ${MOC_SRC})
--- a/src/launcherlib/daemon.cpp
+++ b/src/launcherlib/daemon.cpp
@ -1,6 +1,8 @@
 /***************************************************************************
 **
 ** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2013 - 2021 Jolla Ltd.
+** Copyright (C) 2020 Open Mobile Platform LLC.
 ** All rights reserved.
 ** Contact: Nokia Corporation (directui@nokia.com)
 **
@ -26,6 +28,7 @@

 #include <cstdlib>
 #include <cerrno>
+#include <sys/capability.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@ -346,6 +349,19 @@ void Daemon::loadSingleInstancePlugin()
    }
 }

+void Daemon::dropCapabilities()
+{
+    cap_t caps = cap_init();
+
+    if (!caps || cap_set_proc(caps) == -1) {
+        Logger::logError("Daemon: Failed to drop capabilities");
+    }
+
+    if (caps) {
+        cap_free(caps);
+    }
+}
+
 void Daemon::forkBooster(int sleepTime)
 {
    if (!m_booster) {
@ -413,6 +429,9 @@ void Daemon::forkBooster(int sleepTime)

        m_instance = NULL;

+        // No need for capabilities anymore
+        dropCapabilities();
+
        // Run the current Booster
        int retval = m_booster->run(m_socketManager);

--- a/src/launcherlib/daemon.h
+++ b/src/launcherlib/daemon.h
@ -1,6 +1,7 @@
 /***************************************************************************
 **
 ** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2013 - 2021 Jolla Ltd.
 ** All rights reserved.
 ** Contact: Nokia Corporation (directui@nokia.com)
 **
@ -205,6 +206,9 @@ private:
    //! True if systemd needs to be notified
    bool m_notifySystemd;

+    //! Drop capabilities needed for initialization
+    static void dropCapabilities();
+
    //! Booster instance
    Booster * m_booster;