Add capabilities debug mode that prints all capabilities which are en…

…abled when pihole-FTL is started.

Signed-off-by: DL6ER <[email protected]>

FTL.h

@@ -104,6 +104,7 @@ enum {
   DEBUG_API        = (1 << 9),  /* 00000010 00000000 */
   DEBUG_OVERTIME   = (1 << 10), /* 00000100 00000000 */
   DEBUG_EXTBLOCKED = (1 << 11), /* 00001000 00000000 */
+  DEBUG_CAPS       = (1 << 12), /* 00010000 00000000 */
 };
 
 // Database table "ftl"

capabilities.c

@@ -14,6 +14,9 @@
 #undef __USE_XOPEN
 #include "FTL.h"
 
+const int capabilityIntegers[] = { CAP_CHOWN ,  CAP_DAC_OVERRIDE ,  CAP_DAC_READ_SEARCH ,  CAP_FOWNER ,  CAP_FSETID ,  CAP_KILL ,  CAP_SETGID ,  CAP_SETUID ,  CAP_SETPCAP ,  CAP_LINUX_IMMUTABLE ,  CAP_NET_BIND_SERVICE ,  CAP_NET_BROADCAST ,  CAP_NET_ADMIN ,  CAP_NET_RAW ,  CAP_IPC_LOCK ,  CAP_IPC_OWNER ,  CAP_SYS_MODULE ,  CAP_SYS_RAWIO ,  CAP_SYS_CHROOT ,  CAP_SYS_PTRACE ,  CAP_SYS_PACCT ,  CAP_SYS_ADMIN ,  CAP_SYS_BOOT ,  CAP_SYS_NICE ,  CAP_SYS_RESOURCE ,  CAP_SYS_TIME ,  CAP_SYS_TTY_CONFIG ,  CAP_MKNOD ,  CAP_LEASE ,  CAP_AUDIT_WRITE ,  CAP_AUDIT_CONTROL ,  CAP_SETFCAP ,  CAP_MAC_OVERRIDE ,  CAP_MAC_ADMIN ,  CAP_SYSLOG ,  CAP_WAKE_ALARM ,  CAP_BLOCK_SUSPEND ,  CAP_AUDIT_READ };
+const char* capabilityNames[]  = {"CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ"};
+
 bool check_capabilities()
 {
 	int capsize = 1; /* for header version 1 */
@@ -36,40 +39,56 @@ bool check_capabilities()
 	data = calloc(sizeof(*data), capsize);
 	capget(hdr, data); /* Get current values, for verification */
 
-	bool missing = true;
+	if(config.debug & DEBUG_CAPS)
+	{
+		logg("*********************************************************************");
+		for(unsigned int i = 0u; i < (sizeof(capabilityIntegers)/sizeof(const int)); i++)
+		{
+			unsigned int capid = capabilityIntegers[i];
+			logg("DEBUG: Capability %-24s (%02u) = %s%s%s",
+			     capabilityNames[capid],
+			     capid,
+			     ((data->effective & (1 << capid)) ? "E":"-"),
+			     ((data->permitted & (1 << capid)) ? "P":"-"),
+			     ((data->inheritable & (1 << capid)) ? "I":"-"));
+		}
+		logg("*********************************************************************");
+	}
+
+	bool capabilities_okay = true;
 	if (!(data->permitted & (1 << CAP_NET_ADMIN)))
 	{
 		// Needed for ARP-injection (used when we're the DHCP server)
-		logg("**************************************************************");
+		logg("*********************************************************************");
 		logg("WARNING: Required linux capability CAP_NET_ADMIN not available");
-		logg("**************************************************************");
-		missing = true;
+		logg("*********************************************************************");
+		capabilities_okay = false;
 	}
 	if (!(data->permitted & (1 << CAP_NET_RAW)))
 	{
 		// Needed for raw socket access (necessary for ICMP)
-		logg("************************************************************");
+		logg("*********************************************************************");
 		logg("WARNING: Required linux capability CAP_NET_RAW not available");
-		logg("************************************************************");
-		missing = true;
+		logg("*********************************************************************");
+		capabilities_okay = false;
 	}
 	if (!(data->permitted & (1 << CAP_NET_BIND_SERVICE)))
 	{
 		// Necessary for dynamic port binding
 		logg("*********************************************************************");
 		logg("WARNING: Required linux capability CAP_NET_BIND_SERVICE not available");
 		logg("*********************************************************************");
-		missing = true;
+		capabilities_okay = false;
 	}
 	if (!(data->permitted & (1 << CAP_SETUID)))
 	{
 		// Necessary for changing our own user ID ("daemonizing")
 		logg("*********************************************************************");
 		logg("WARNING: Required linux capability CAP_SETUID not available");
 		logg("*********************************************************************");
-		missing = true;
+		capabilities_okay = false;
 	}
 
 	// All okay!
-	return missing;
+	return capabilities_okay;
 }

config.c

@@ -594,6 +594,12 @@ void read_debuging_settings(FILE *fp)
 	if(buffer != NULL && strcasecmp(buffer, "true") == 0)
 		config.debug |= DEBUG_EXTBLOCKED;
 
+	// DEBUG_CAPS
+	// defaults to: false
+	buffer = parse_FTLconf(fp, "DEBUG_CAPS");
+	if(buffer != NULL && strcasecmp(buffer, "true") == 0)
+		config.debug |= DEBUG_CAPS;
+
 	// DEBUG_ALL
 	// defaults to: false
 	buffer = parse_FTLconf(fp, "DEBUG_ALL");
@@ -616,6 +622,7 @@ void read_debuging_settings(FILE *fp)
 		logg("* DEBUG_API        %s *", (config.debug & DEBUG_API)? "YES":"NO ");
 		logg("* DEBUG_OVERTIME   %s *", (config.debug & DEBUG_OVERTIME)? "YES":"NO ");
 		logg("* DEBUG_EXTBLOCKED %s *", (config.debug & DEBUG_EXTBLOCKED)? "YES":"NO ");
+		logg("* DEBUG_CAPS       %s *", (config.debug & DEBUG_CAPS)? "YES":"NO ");
 		logg("************************");
 	}