support file-based capabilities instead of SUID root for giving PA rights to acquire...

diff --git a/src/daemon/caps.c b/src/daemon/caps.c
index b9e49fc153d2912b79ff18360a45157baf24a98a..ae07119cdf45c060809c0a0dcb12665f4c98af92 100644 (file)
--- a/src/daemon/caps.c
+++ b/src/daemon/caps.c
@@ -91,13 +91,18 @@ void pa_limit_caps(void) {
     pa_assert_se(cap_clear(caps) == 0);
     pa_assert_se(cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET) == 0);
     pa_assert_se(cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET) == 0);
-    pa_assert_se(cap_set_proc(caps) == 0);
-
-    pa_assert_se(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0);
 
-    pa_log_info("Dropped capabilities successfully.");
+    if (cap_set_proc(caps) < 0)
+        /* Hmm, so we couldn't limit our caps, which probably means we
+         * hadn't any in the first place, so let's just make sure of
+         * that */
+        pa_drop_caps();
+    else
+        pa_log_info("Limited capabilities successfully to CAP_SYS_NICE.");
 
     pa_assert_se(cap_free(caps) == 0);
+
+    pa_assert_se(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0);
 }
 
 /* Drop all capabilities, effectively becoming a normal user */
@@ -110,17 +115,33 @@ void pa_drop_caps(void) {
     pa_assert_se(cap_clear(caps) == 0);
     pa_assert_se(cap_set_proc(caps) == 0);
     pa_assert_se(cap_free(caps) == 0);
+
+    pa_assert_se(!pa_have_caps());
+}
+
+pa_bool_t pa_have_caps(void) {
+    cap_t caps;
+    cap_flag_value_t flag = CAP_CLEAR;
+
+    pa_assert_se(caps = cap_get_proc());
+    pa_assert_se(cap_get_flag(caps, CAP_SYS_NICE, CAP_EFFECTIVE, &flag) >= 0);
+    pa_assert_se(cap_free(caps) == 0);
+
+    return flag == CAP_SET;
 }
 
 #else
 
 /* NOOPs in case capabilities are not available. */
 void pa_limit_caps(void) {
-    return 0;
 }
 
 void pa_drop_caps(void) {
     pa_drop_root();
 }
 
+pa_bool_t pa_have_caps(void) {
+    return FALSE;
+}
+
 #endif

diff --git a/src/daemon/caps.h b/src/daemon/caps.h
index c4f775ba083acf87371619ac8d2f66451a7eb629..176aa90e4600380b867bfd91516cee7b7c49c162 100644 (file)
--- a/src/daemon/caps.h
+++ b/src/daemon/caps.h
@@ -22,8 +22,11 @@
   USA.
 ***/
 
+#include <pulsecore/macro.h>
+
 void pa_drop_root(void);
 void pa_drop_caps(void);
 void pa_limit_caps(void);
+pa_bool_t pa_have_caps(void);
 
 #endif

diff --git a/src/daemon/main.c b/src/daemon/main.c
index 04c88d4da7f6aa585f4c3216f48a6ad5638e294c..145944160b16395c4e1260d851faea21571d5154 100644 (file)
--- a/src/daemon/main.c
+++ b/src/daemon/main.c
@@ -374,7 +374,7 @@ int main(int argc, char *argv[]) {
     suid_root = FALSE;
 #endif
 
-    if (suid_root) {
+    if (!real_root) {
         /* Drop all capabilities except CAP_SYS_NICE  */
         pa_limit_caps();
 
@@ -426,20 +426,26 @@ int main(int argc, char *argv[]) {
     pa_log_set_maximal_level(conf->log_level);
     pa_log_set_target(conf->auto_log_target ? PA_LOG_STDERR : conf->log_target, NULL);
 
-    if (suid_root) {
-        pa_bool_t allow_realtime, allow_high_priority;
+    pa_log_debug("Started as real root: %s, suid root: %s", pa_yes_no(real_root), pa_yes_no(suid_root));
 
-        /* Ok, we're suid root, so let's better not enable high prio
-         * or RT by default */
+    if (!real_root && pa_have_caps()) {
+        pa_bool_t allow_high_priority = FALSE, allow_realtime = FALSE;
 
-        allow_high_priority = allow_realtime = FALSE;
+        /* Let's better not enable high prio or RT by default */
 
-        if (conf->high_priority || conf->realtime_scheduling)
+        if (conf->high_priority && !allow_high_priority) {
             if (pa_own_uid_in_group(PA_REALTIME_GROUP, &gid) > 0) {
-                pa_log_info("We're in the group '"PA_REALTIME_GROUP"', allowing real-time and high-priority scheduling.");
-                allow_realtime = conf->realtime_scheduling;
-                allow_high_priority = conf->high_priority;
+                pa_log_info("We're in the group '"PA_REALTIME_GROUP"', allowing high-priority scheduling.");
+                allow_high_priority = TRUE;
             }
+        }
+
+        if (conf->realtime_scheduling && !allow_realtime) {
+            if (pa_own_uid_in_group(PA_REALTIME_GROUP, &gid) > 0) {
+                pa_log_info("We're in the group '"PA_REALTIME_GROUP"', allowing real-time scheduling.");
+                allow_realtime = TRUE;
+            }
+        }
 
 #ifdef HAVE_POLKIT
         if (conf->high_priority && !allow_high_priority) {
@@ -465,7 +471,6 @@ int main(int argc, char *argv[]) {
              * let's give it up early */
 
             pa_drop_caps();
-            suid_root = FALSE;
 
             if (conf->high_priority || conf->realtime_scheduling)
                 pa_log_notice("Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary priviliges:\n"
@@ -491,7 +496,7 @@ int main(int argc, char *argv[]) {
     if (conf->high_priority && (conf->cmd == PA_CMD_DAEMON || conf->cmd == PA_CMD_START))
         pa_raise_priority(conf->nice_level);
 
-    if (suid_root) {
+    if (pa_have_caps()) {
         pa_bool_t drop;
 
         drop = (conf->cmd != PA_CMD_DAEMON && conf->cmd != PA_CMD_START) || !conf->realtime_scheduling;
@@ -530,6 +535,8 @@ int main(int argc, char *argv[]) {
     if (conf->realtime_scheduling && !pa_can_realtime())
         pa_log_warn("Real-time scheduling enabled in configuration but not allowed by policy.");
 
+    pa_log_debug("Can realtime: %s, can high-priority: %s", pa_yes_no(pa_can_realtime()), pa_yes_no(pa_can_high_priority()));
+
     LTDL_SET_PRELOADED_SYMBOLS();
     pa_ltdl_init();
     ltdl_init = TRUE;