12321902803

Committed 13 Dec 2024 07:34PM UTC coverage: 66.359% (+1.6%) from 64.78%

Build # 12321902803

Build Type

Pull #14970

github

Committed by

web-flow

Commit Message

Merge e3a7df61c into 3dfd8e317

Pull Request Pull Request #14970: boost > std optional

Run Details

26084 of 54744 branches covered (47.65%)

Branch coverage included in aggregate %.

14 of 15 new or added lines in 2 files covered. (93.33%)

1863 existing lines in 52 files now uncovered.

85857 of 113946 relevant lines covered (75.35%)

4412729.59 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

18.18

/pdns/capabilities.cc

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

#include "config.h"

#include <cstring>
#include <stdexcept>

#ifdef HAVE_LIBCAP
#include <sys/capability.h>
#include <sys/prctl.h>
#endif

#include "capabilities.hh"
#include "misc.hh"

bool dropCapabilities([[maybe_unused]] std::set<std::string> capabilitiesToKeep)
{
#ifdef HAVE_LIBCAP
   cap_t caps = cap_get_proc();
   if (caps != nullptr) {
     cap_clear(caps);

     if (!capabilitiesToKeep.empty()) {
       std::vector<cap_value_t> toKeep;
       toKeep.reserve(capabilitiesToKeep.size());

       for (const auto& capToKeep : capabilitiesToKeep) {
         cap_value_t value;
         int res = cap_from_name(capToKeep.c_str(), &value);
         if (res != 0) {
           cap_free(caps);
           throw std::runtime_error("Unable to convert capability name '" + capToKeep + "': " + stringerror());
         }
         toKeep.push_back(value);
       }

       if (cap_set_flag(caps, CAP_EFFECTIVE, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
         cap_free(caps);
         throw std::runtime_error("Unable to set effective flag capabilities: " + stringerror());
       }

       if (cap_set_flag(caps, CAP_PERMITTED, toKeep.size(), toKeep.data(), CAP_SET) != 0) {
         cap_free(caps);
         throw std::runtime_error("Unable to set permitted flag capabilities: " + stringerror());
       }
     }

     if (cap_set_proc(caps) != 0) {
       cap_free(caps);
       if (errno == EPERM) {
         return false;
       }
       throw std::runtime_error("Unable to drop capabilities: " + stringerror());
     }

     cap_free(caps);
     return true;
   }
#endif /* HAVE_LIBCAP */
   return false;
}

bool dropCapabilitiesAfterSwitchingIDs()
{
#ifdef HAVE_LIBCAP
#ifdef PR_SET_KEEPCAPS
  if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == 0) {
    return true;
  }
#endif /* PR_SET_KEEPCAPS */
  return false;
#else
  return false;
#endif /* HAVE_LIBCAP */
}

bool keepCapabilitiesAfterSwitchingIDs()
{
#ifdef HAVE_LIBCAP
#ifdef PR_SET_KEEPCAPS
  if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0) {
    return true;
  }
#endif /* PR_SET_KEEPCAPS */
  return false;
#else
  return false;
#endif /* HAVE_LIBCAP */
}

1	/*
2	* This file is part of PowerDNS or dnsdist.
3	* Copyright -- PowerDNS.COM B.V. and its contributors
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of version 2 of the GNU General Public License as
7	* published by the Free Software Foundation.
8	*
9	* In addition, for the avoidance of any doubt, permission is granted to
10	* link this program with OpenSSL and to (re)distribute the binaries
11	* produced as the result of such linking.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21	*/
22
23	#include "config.h"
24
25	#include <cstring>
26	#include <stdexcept>
27
28	#ifdef HAVE_LIBCAP
29	#include <sys/capability.h>
30	#include <sys/prctl.h>
31	#endif
32
33	#include "capabilities.hh"
34	#include "misc.hh"
35
36	bool dropCapabilities([[maybe_unused]] std::set<std::string> capabilitiesToKeep)
37	{	152✔
38	#ifdef HAVE_LIBCAP	152✔
39	cap_t caps = cap_get_proc();	152✔
40	if (caps != nullptr) {	152!
41	cap_clear(caps);	152✔
42
43	if (!capabilitiesToKeep.empty()) {	152!
UNCOV 44	std::vector<cap_value_t> toKeep;	×
UNCOV 45	toKeep.reserve(capabilitiesToKeep.size());	×
46
UNCOV 47	for (const auto& capToKeep : capabilitiesToKeep) {	×
UNCOV 48	cap_value_t value;	×
UNCOV 49	int res = cap_from_name(capToKeep.c_str(), &value);	×
UNCOV 50	if (res != 0) {	×
51	cap_free(caps);	×
52	throw std::runtime_error("Unable to convert capability name '" + capToKeep + "': " + stringerror());	×
53	}	×
UNCOV 54	toKeep.push_back(value);	×
UNCOV 55	}	×
56
UNCOV 57	if (cap_set_flag(caps, CAP_EFFECTIVE, toKeep.size(), toKeep.data(), CAP_SET) != 0) {	×
58	cap_free(caps);	×
59	throw std::runtime_error("Unable to set effective flag capabilities: " + stringerror());	×
60	}	×
61
UNCOV 62	if (cap_set_flag(caps, CAP_PERMITTED, toKeep.size(), toKeep.data(), CAP_SET) != 0) {	×
63	cap_free(caps);	×
64	throw std::runtime_error("Unable to set permitted flag capabilities: " + stringerror());	×
65	}	×
UNCOV 66	}	×
67
68	if (cap_set_proc(caps) != 0) {	152!
UNCOV 69	cap_free(caps);	×
UNCOV 70	if (errno == EPERM) {	×
UNCOV 71	return false;	×
UNCOV 72	}	×
73	throw std::runtime_error("Unable to drop capabilities: " + stringerror());	×
UNCOV 74	}	×
75
76	cap_free(caps);	152✔
77	return true;	152✔
78	}	152✔
79	#endif /* HAVE_LIBCAP */	×
80	return false;	×
81	}	152✔
82
83	bool dropCapabilitiesAfterSwitchingIDs()
UNCOV 84	{	×
UNCOV 85	#ifdef HAVE_LIBCAP	×
UNCOV 86	#ifdef PR_SET_KEEPCAPS	×
UNCOV 87	if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == 0) {	×
UNCOV 88	return true;	×
UNCOV 89	}	×
90	#endif /* PR_SET_KEEPCAPS */	×
91	return false;	×
92	#else
93	return false;
94	#endif /* HAVE_LIBCAP */
UNCOV 95	}	×
96
97	bool keepCapabilitiesAfterSwitchingIDs()
98	{	×
99	#ifdef HAVE_LIBCAP	×
100	#ifdef PR_SET_KEEPCAPS	×
101	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0) {	×
102	return true;	×
103	}	×
104	#endif /* PR_SET_KEEPCAPS */	×
105	return false;	×
106	#else
107	return false;
108	#endif /* HAVE_LIBCAP */
109	}	×

PowerDNS / pdns / 12321902803

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous