nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-26 17:03:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Conditionally logging debug messages based on the WRAPPER_DEBUG env var being set (or not)

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-01-30 12:59:29 -06:00
parent d8ecd5eb0d
commit 128bdac94f
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
1 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixos/modules/security/wrappers/wrapper.c
View File

@ -26,6 +26,9 @@ extern char **environ;
static char * sourceProg = SOURCE_PROG; static char * sourceProg = SOURCE_PROG;
static char * wrapperDir = WRAPPER_DIR; static char * wrapperDir = WRAPPER_DIR;
// Wrapper debug variable name
static char * wrapperDebug = "WRAPPER_DEBUG";
// Update the capabilities of the running process to include the given // Update the capabilities of the running process to include the given
// capability in the Ambient set. // capability in the Ambient set.
static void set_ambient_cap(cap_value_t cap) static void set_ambient_cap(cap_value_t cap)
@ -34,7 +37,7 @@ static void set_ambient_cap(cap_value_t cap)
if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
{ {
printf("cannot raise the capability into the Inheritable set\n"); perror("cannot raise the capability into the Inheritable set\n");
exit(1); exit(1);
} }
@ -56,7 +59,9 @@ static int make_caps_ambient(const char *selfPath)
if(!caps) if(!caps)
{ {
fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...\n"); if(getenv(wrapperDebug))
fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...");
return 1; return 1;
} }
@ -127,23 +132,27 @@ static int make_caps_ambient(const char *selfPath)
cap_value_t capnum; cap_value_t capnum;
if (cap_from_name(tok, &capnum)) if (cap_from_name(tok, &capnum))
{ {
fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok); if(getenv(wrapperDebug))
fprintf(stderr, "cap_from_name failed, skipping: %s", tok);
} }
else if (capnum == CAP_SETPCAP) else if (capnum == CAP_SETPCAP)
{ {
// Check for the cap_setpcap capability, we set this on the // Check for the cap_setpcap capability, we set this on the
// wrapper so it can elevate the capabilities to the Ambient // wrapper so it can elevate the capabilities to the Ambient
// set but we do not want to propagate it down into the // set but we do not want to propagate it down into the
// wrapped program. // wrapped program.
// //
// TODO: what happens if that's the behavior you want // TODO: what happens if that's the behavior you want
// though???? I'm preferring a strict vs. loose policy here. // though???? I'm preferring a strict vs. loose policy here.
fprintf(stderr, "cap_setpcap in set, skipping it\n"); if(getenv(wrapperDebug))
fprintf(stderr, "cap_setpcap in set, skipping it\n");
} }
else else
{ {
set_ambient_cap(capnum); set_ambient_cap(capnum);
printf("raised %s into the Ambient capability set\n", tok);
if(getenv(wrapperDebug))
fprintf(stderr, "raised %s into the Ambient capability set\n", tok);
} }
} }
cap_free(capstr); cap_free(capstr);