Merge pull request pi-hole#544 from pi-hole/tweak/capabilities_check

Check capabilities with kernel methods
wetnun · Mar 21, 2019 · 320a9c8 · 320a9c8
2 parents 9ed84ff + 09f0727
commit 320a9c8
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 19 deletions.
diff --git a/FTL.h b/FTL.h
@@ -104,6 +104,7 @@ enum {
   DEBUG_API        = (1 << 9),  /* 00000010 00000000 */
   DEBUG_OVERTIME   = (1 << 10), /* 00000100 00000000 */
   DEBUG_EXTBLOCKED = (1 << 11), /* 00001000 00000000 */
+  DEBUG_CAPS       = (1 << 12), /* 00010000 00000000 */
 };
 
 // Database table "ftl"

diff --git a/Makefile b/Makefile
@@ -98,7 +98,7 @@ CCFLAGS=-std=gnu11 -I$(IDIR) $(WARNFLAGS) -D_FILE_OFFSET_BITS=64 $(HARDENING_FLA
 # for dnsmasq we need the nettle crypto library and the gmp maths library
 # We link the two libraries statically. Although this increases the binary file size by about 1 MB, it saves about 5 MB of shared libraries and makes deployment easier
 #LIBS=-pthread -lnettle -lgmp -lhogweed
-LIBS=-pthread -lrt -lcap -Wl,-Bstatic -L/usr/local/lib -lhogweed -lgmp -lnettle -Wl,-Bdynamic
+LIBS=-pthread -lrt -Wl,-Bstatic -L/usr/local/lib -lhogweed -lgmp -lnettle -Wl,-Bdynamic
 # Flags for compiling with libidn : -lidn
 # Flags for compiling with libidn2: -lidn2
 

diff --git a/capabilities.c b/capabilities.c
@@ -8,36 +8,99 @@
 *  This file is copyright under the latest version of the EUPL.
 *  Please see LICENSE file for your rights under this license. */
 
+// Definition of LINUX_CAPABILITY_VERSION_*
+#define FTLDNS
+#include "dnsmasq/dnsmasq.h"
+#undef __USE_XOPEN
 #include "FTL.h"
-#include <sys/capability.h>
+
+static const unsigned int capabilityIDs[]   = { CAP_CHOWN ,  CAP_DAC_OVERRIDE ,  CAP_DAC_READ_SEARCH ,  CAP_FOWNER ,  CAP_FSETID ,  CAP_KILL ,  CAP_SETGID ,  CAP_SETUID ,  CAP_SETPCAP ,  CAP_LINUX_IMMUTABLE ,  CAP_NET_BIND_SERVICE ,  CAP_NET_BROADCAST ,  CAP_NET_ADMIN ,  CAP_NET_RAW ,  CAP_IPC_LOCK ,  CAP_IPC_OWNER ,  CAP_SYS_MODULE ,  CAP_SYS_RAWIO ,  CAP_SYS_CHROOT ,  CAP_SYS_PTRACE ,  CAP_SYS_PACCT ,  CAP_SYS_ADMIN ,  CAP_SYS_BOOT ,  CAP_SYS_NICE ,  CAP_SYS_RESOURCE ,  CAP_SYS_TIME ,  CAP_SYS_TTY_CONFIG ,  CAP_MKNOD ,  CAP_LEASE ,  CAP_AUDIT_WRITE ,  CAP_AUDIT_CONTROL ,  CAP_SETFCAP ,  CAP_MAC_OVERRIDE ,  CAP_MAC_ADMIN ,  CAP_SYSLOG ,  CAP_WAKE_ALARM ,  CAP_BLOCK_SUSPEND ,  CAP_AUDIT_READ };
+static const char*        capabilityNames[] = {"CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ"};
+static const unsigned int numCaps = sizeof(capabilityIDs) / sizeof(const unsigned int);
 
 bool check_capabilities()
 {
-	if(!cap_get_bound(CAP_NET_ADMIN))
+	// First assume header version 1
+	int capsize = 1; // VFS_CAP_U32_1
+	cap_user_data_t data = NULL;
+	cap_user_header_t hdr = calloc(sizeof(*hdr), capsize);
+
+	// Determine capabilities version used by the current kernel
+	capget(hdr, NULL);
+
+	// Check version
+	if (hdr->version != LINUX_CAPABILITY_VERSION_1)
+	{
+		// If unknown version, use largest supported version (3)
+		// Version 2 is deprecated according to linux/capability.h
+		if (hdr->version != LINUX_CAPABILITY_VERSION_2)
+		{
+			hdr->version = LINUX_CAPABILITY_VERSION_3;
+			capsize = 2; // VFS_CAP_U32_3
+		}
+		else
+		{
+			// Use version 2
+			capsize = 2; // VFS_CAP_U32_2
+		}
+	}
+
+	// Get current capabilities
+	data = calloc(sizeof(*data), capsize);
+	capget(hdr, data);
+
+	if(config.debug & DEBUG_CAPS)
+	{
+		logg("***************************************");
+		logg("* Linux capability debugging enabled  *");
+		for(unsigned int i = 0u; i < numCaps; i++)
+		{
+			const unsigned int capid = capabilityIDs[i];
+
+			// Check if capability is valid for the current kernel
+			// If not, exit loop early
+			if(!cap_valid(capid))
+				break;
+
+			logg("* %-24s (%02u) = %s%s%s *",
+			     capabilityNames[capid], capid,
+			     ((data->permitted   & (1 << capid)) ? "P":"-"),
+			     ((data->inheritable & (1 << capid)) ? "I":"-"),
+			     ((data->effective   & (1 << capid)) ? "E":"-"));
+		}
+		logg("***************************************");
+	}
+
+	bool capabilities_okay = true;
+	if (!(data->permitted & (1 << CAP_NET_ADMIN)))
 	{
 		// Needed for ARP-injection (used when we're the DHCP server)
-		logg("**************************************************************");
-		logg("WARNING: Required linux capability CAP_NET_ADMIN not available");
-		logg("**************************************************************");
-		return false;
+		logg("*************************************************************************");
+		logg("* WARNING: Required Linux capability CAP_NET_ADMIN not available        *");
+		logg("*************************************************************************");
+		capabilities_okay = false;
 	}
-	if(!cap_get_bound(CAP_NET_RAW))
+	if (!(data->permitted & (1 << CAP_NET_RAW)))
 	{
 		// Needed for raw socket access (necessary for ICMP)
-		logg("************************************************************");
-		logg("WARNING: Required linux capability CAP_NET_RAW not available");
-		logg("************************************************************");
-		return false;
+		logg("*************************************************************************");
+		logg("* WARNING: Required Linux capability CAP_NET_RAW not available          *");
+		logg("*************************************************************************");
+		capabilities_okay = false;
 	}
-	if(!cap_get_bound(CAP_NET_BIND_SERVICE))
+	if (!(data->permitted & (1 << CAP_NET_BIND_SERVICE)))
 	{
 		// Necessary for dynamic port binding
-		logg("*********************************************************************");
-		logg("WARNING: Required linux capability CAP_NET_BIND_SERVICE not available");
-		logg("*********************************************************************");
-		return false;
+		logg("*************************************************************************");
+		logg("* WARNING: Required Linux capability CAP_NET_BIND_SERVICE not available *");
+		logg("*************************************************************************");
+		capabilities_okay = false;
 	}
 
-	// All okay!
-	return true;
+	// Free allocated memory
+	free(hdr);
+	free(data);
+
+	// Return whether capabilities are all okay
+	return capabilities_okay;
 }
diff --git a/config.c b/config.c
@@ -594,6 +594,12 @@ void read_debuging_settings(FILE *fp)
 	if(buffer != NULL && strcasecmp(buffer, "true") == 0)
 		config.debug |= DEBUG_EXTBLOCKED;
 
+	// DEBUG_CAPS
+	// defaults to: false
+	buffer = parse_FTLconf(fp, "DEBUG_CAPS");
+	if(buffer != NULL && strcasecmp(buffer, "true") == 0)
+		config.debug |= DEBUG_CAPS;
+
 	// DEBUG_ALL
 	// defaults to: false
 	buffer = parse_FTLconf(fp, "DEBUG_ALL");
@@ -616,6 +622,7 @@ void read_debuging_settings(FILE *fp)
 		logg("* DEBUG_API        %s *", (config.debug & DEBUG_API)? "YES":"NO ");
 		logg("* DEBUG_OVERTIME   %s *", (config.debug & DEBUG_OVERTIME)? "YES":"NO ");
 		logg("* DEBUG_EXTBLOCKED %s *", (config.debug & DEBUG_EXTBLOCKED)? "YES":"NO ");
+		logg("* DEBUG_CAPS       %s *", (config.debug & DEBUG_CAPS)? "YES":"NO ");
 		logg("************************");
 	}
 

diff --git a/dnsmasq_interface.c b/dnsmasq_interface.c
@@ -361,6 +361,8 @@ void FTL_dnsmasq_reload(void)
 	// *before* clearing the cache and rereading the lists
 	// This is the only hook that is not skipped in PRIVACY_NOSTATS mode
 
+	logg("Received SIGHUP, reloading cache");
+
 	// Called when dnsmasq re-reads its config and hosts files
 	// Reset number of blocked domains
 	counters->gravity = 0;
@@ -382,6 +384,10 @@ void FTL_dnsmasq_reload(void)
 
 	// Reread pihole-FTL.conf to see which debugging flags are set
 	read_debuging_settings(NULL);
+
+	// Print current set of capabilities if requested via debug flag
+	if(config.debug & DEBUG_CAPS)
+		check_capabilities();
 }
 
 void _FTL_reply(unsigned short flags, char *name, struct all_addr *addr, int id, const char* file, const int line)