diff --git a/FTL.h b/FTL.h index 7c2cf88c7..a4bba0955 100644 --- a/FTL.h +++ b/FTL.h @@ -104,6 +104,7 @@ enum { DEBUG_API = (1 << 9), /* 00000010 00000000 */ DEBUG_OVERTIME = (1 << 10), /* 00000100 00000000 */ DEBUG_EXTBLOCKED = (1 << 11), /* 00001000 00000000 */ + DEBUG_CAPS = (1 << 12), /* 00010000 00000000 */ }; // Database table "ftl" diff --git a/Makefile b/Makefile index 6f7f78c7b..009e18f01 100644 --- a/Makefile +++ b/Makefile @@ -98,7 +98,7 @@ CCFLAGS=-std=gnu11 -I$(IDIR) $(WARNFLAGS) -D_FILE_OFFSET_BITS=64 $(HARDENING_FLA # for dnsmasq we need the nettle crypto library and the gmp maths library # We link the two libraries statically. Although this increases the binary file size by about 1 MB, it saves about 5 MB of shared libraries and makes deployment easier #LIBS=-pthread -lnettle -lgmp -lhogweed -LIBS=-pthread -lrt -lcap -Wl,-Bstatic -L/usr/local/lib -lhogweed -lgmp -lnettle -Wl,-Bdynamic +LIBS=-pthread -lrt -Wl,-Bstatic -L/usr/local/lib -lhogweed -lgmp -lnettle -Wl,-Bdynamic # Flags for compiling with libidn : -lidn # Flags for compiling with libidn2: -lidn2 diff --git a/capabilities.c b/capabilities.c index 1a33fee83..9290cc2c4 100644 --- a/capabilities.c +++ b/capabilities.c @@ -8,36 +8,99 @@ * This file is copyright under the latest version of the EUPL. * Please see LICENSE file for your rights under this license. */ +// Definition of LINUX_CAPABILITY_VERSION_* +#define FTLDNS +#include "dnsmasq/dnsmasq.h" +#undef __USE_XOPEN #include "FTL.h" -#include + +static const unsigned int capabilityIDs[] = { CAP_CHOWN , CAP_DAC_OVERRIDE , CAP_DAC_READ_SEARCH , CAP_FOWNER , CAP_FSETID , CAP_KILL , CAP_SETGID , CAP_SETUID , CAP_SETPCAP , CAP_LINUX_IMMUTABLE , CAP_NET_BIND_SERVICE , CAP_NET_BROADCAST , CAP_NET_ADMIN , CAP_NET_RAW , CAP_IPC_LOCK , CAP_IPC_OWNER , CAP_SYS_MODULE , CAP_SYS_RAWIO , CAP_SYS_CHROOT , CAP_SYS_PTRACE , CAP_SYS_PACCT , CAP_SYS_ADMIN , CAP_SYS_BOOT , CAP_SYS_NICE , CAP_SYS_RESOURCE , CAP_SYS_TIME , CAP_SYS_TTY_CONFIG , CAP_MKNOD , CAP_LEASE , CAP_AUDIT_WRITE , CAP_AUDIT_CONTROL , CAP_SETFCAP , CAP_MAC_OVERRIDE , CAP_MAC_ADMIN , CAP_SYSLOG , CAP_WAKE_ALARM , CAP_BLOCK_SUSPEND , CAP_AUDIT_READ }; +static const char* capabilityNames[] = {"CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ"}; +static const unsigned int numCaps = sizeof(capabilityIDs) / sizeof(const unsigned int); bool check_capabilities() { - if(!cap_get_bound(CAP_NET_ADMIN)) + // First assume header version 1 + int capsize = 1; // VFS_CAP_U32_1 + cap_user_data_t data = NULL; + cap_user_header_t hdr = calloc(sizeof(*hdr), capsize); + + // Determine capabilities version used by the current kernel + capget(hdr, NULL); + + // Check version + if (hdr->version != LINUX_CAPABILITY_VERSION_1) + { + // If unknown version, use largest supported version (3) + // Version 2 is deprecated according to linux/capability.h + if (hdr->version != LINUX_CAPABILITY_VERSION_2) + { + hdr->version = LINUX_CAPABILITY_VERSION_3; + capsize = 2; // VFS_CAP_U32_3 + } + else + { + // Use version 2 + capsize = 2; // VFS_CAP_U32_2 + } + } + + // Get current capabilities + data = calloc(sizeof(*data), capsize); + capget(hdr, data); + + if(config.debug & DEBUG_CAPS) + { + logg("***************************************"); + logg("* Linux capability debugging enabled *"); + for(unsigned int i = 0u; i < numCaps; i++) + { + const unsigned int capid = capabilityIDs[i]; + + // Check if capability is valid for the current kernel + // If not, exit loop early + if(!cap_valid(capid)) + break; + + logg("* %-24s (%02u) = %s%s%s *", + capabilityNames[capid], capid, + ((data->permitted & (1 << capid)) ? "P":"-"), + ((data->inheritable & (1 << capid)) ? "I":"-"), + ((data->effective & (1 << capid)) ? "E":"-")); + } + logg("***************************************"); + } + + bool capabilities_okay = true; + if (!(data->permitted & (1 << CAP_NET_ADMIN))) { // Needed for ARP-injection (used when we're the DHCP server) - logg("**************************************************************"); - logg("WARNING: Required linux capability CAP_NET_ADMIN not available"); - logg("**************************************************************"); - return false; + logg("*************************************************************************"); + logg("* WARNING: Required Linux capability CAP_NET_ADMIN not available *"); + logg("*************************************************************************"); + capabilities_okay = false; } - if(!cap_get_bound(CAP_NET_RAW)) + if (!(data->permitted & (1 << CAP_NET_RAW))) { // Needed for raw socket access (necessary for ICMP) - logg("************************************************************"); - logg("WARNING: Required linux capability CAP_NET_RAW not available"); - logg("************************************************************"); - return false; + logg("*************************************************************************"); + logg("* WARNING: Required Linux capability CAP_NET_RAW not available *"); + logg("*************************************************************************"); + capabilities_okay = false; } - if(!cap_get_bound(CAP_NET_BIND_SERVICE)) + if (!(data->permitted & (1 << CAP_NET_BIND_SERVICE))) { // Necessary for dynamic port binding - logg("*********************************************************************"); - logg("WARNING: Required linux capability CAP_NET_BIND_SERVICE not available"); - logg("*********************************************************************"); - return false; + logg("*************************************************************************"); + logg("* WARNING: Required Linux capability CAP_NET_BIND_SERVICE not available *"); + logg("*************************************************************************"); + capabilities_okay = false; } - // All okay! - return true; + // Free allocated memory + free(hdr); + free(data); + + // Return whether capabilities are all okay + return capabilities_okay; } diff --git a/config.c b/config.c index a2f68ba9d..c867a6a79 100644 --- a/config.c +++ b/config.c @@ -594,6 +594,12 @@ void read_debuging_settings(FILE *fp) if(buffer != NULL && strcasecmp(buffer, "true") == 0) config.debug |= DEBUG_EXTBLOCKED; + // DEBUG_CAPS + // defaults to: false + buffer = parse_FTLconf(fp, "DEBUG_CAPS"); + if(buffer != NULL && strcasecmp(buffer, "true") == 0) + config.debug |= DEBUG_CAPS; + // DEBUG_ALL // defaults to: false buffer = parse_FTLconf(fp, "DEBUG_ALL"); @@ -616,6 +622,7 @@ void read_debuging_settings(FILE *fp) logg("* DEBUG_API %s *", (config.debug & DEBUG_API)? "YES":"NO "); logg("* DEBUG_OVERTIME %s *", (config.debug & DEBUG_OVERTIME)? "YES":"NO "); logg("* DEBUG_EXTBLOCKED %s *", (config.debug & DEBUG_EXTBLOCKED)? "YES":"NO "); + logg("* DEBUG_CAPS %s *", (config.debug & DEBUG_CAPS)? "YES":"NO "); logg("************************"); } diff --git a/dnsmasq_interface.c b/dnsmasq_interface.c index 7b396cc49..a62945f36 100644 --- a/dnsmasq_interface.c +++ b/dnsmasq_interface.c @@ -361,6 +361,8 @@ void FTL_dnsmasq_reload(void) // *before* clearing the cache and rereading the lists // This is the only hook that is not skipped in PRIVACY_NOSTATS mode + logg("Received SIGHUP, reloading cache"); + // Called when dnsmasq re-reads its config and hosts files // Reset number of blocked domains counters->gravity = 0; @@ -382,6 +384,10 @@ void FTL_dnsmasq_reload(void) // Reread pihole-FTL.conf to see which debugging flags are set read_debuging_settings(NULL); + + // Print current set of capabilities if requested via debug flag + if(config.debug & DEBUG_CAPS) + check_capabilities(); } void _FTL_reply(unsigned short flags, char *name, struct all_addr *addr, int id, const char* file, const int line)