rt_ini: add capability awareness

(cherry picked from commit 0fc7efc0f54a4e8ff152d40749e1c25c227f0c99)

rt_ini: add capability awareness
(cherry picked from commit 0fc7efc0f54a4e8ff152d40749e1c25c227f0c99)
8703ee24 · Marcus Nordenberg · Esteban Blanc · 0e47b1a0 · 8703ee24 · 8703ee24
Commit 8703ee24 authored Mar 12, 2020 by Marcus Nordenberg Committed by Esteban Blanc Dec 23, 2020
4 changed files
--- a/src/exe/rt_ini/src/rt_ini.c
+++ b/src/exe/rt_ini/src/rt_ini.c
@@ -41,7 +41,7 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <sys/prctl.h>
-#include <linux/capability.h>
+#include <sys/capability.h>

 #include "co_dcli.h"
 #include "co_string.h"
@@ -106,6 +106,28 @@ int main(int argc, char** argv)

  ver_WriteVersionInfo("ProviewR Runtime Environment");

+  // If we are running from an unprivileged shell we won't have an inheritable flag set which is needed to set ambient capabilites
+  // TODO Later we should pinpoint the exact needed privileges for each process we spawn.
+
+  // Get current caps
+  cap_t proc_caps = cap_get_proc();
+  cap_value_t pwr_caps[] = { CAP_SYS_NICE, CAP_SYS_BOOT, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_NET_ADMIN, CAP_NET_BROADCAST };
+  size_t num_caps = sizeof(pwr_caps) / sizeof(cap_value_t);
+  // Set inheritable flag on the caps we want
+  cap_set_flag(proc_caps, CAP_INHERITABLE, num_caps, pwr_caps, CAP_SET);
+  // Set the process caps with inheritable flag set
+  cap_set_proc(proc_caps);
+
+  // Set our ambient set so that our currently cap unaware processes may inherit and set the effective bit
+  // TODO Set this on a per process basis giving our processes only the capabilities they need. But for now, it'll do...
+  // Each process could also lower their permitted set and thus forever loose that capability...
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BROADCAST, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_SYS_BOOT, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BIND_SERVICE, 0, 0);
+  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_SYS_NICE, 0, 0);
+
  if (cp->flags.b.restart) {
    sts = interactive(argc, argv, cp);
  } else if (cp->flags.b.stop) {
@@ -1719,9 +1741,4 @@ static void daemonize()
  stdin = fopen("/dev/null", "r");
  stdout = fopen("/dev/null", "w+");
  stderr = fopen("/dev/null", "w+");
-
-  // Set our ambient set so that our currently cap unaware processes may inherit and set the effective bit
-  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0);
-  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_BROADCAST, 0, 0);
-  prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0);
 }
--- a/src/tools/pkg/deb_x86_64/pwrrt/postinst
+++ b/src/tools/pkg/deb_x86_64/pwrrt/postinst
@@ -115,7 +115,15 @@ fi
 chown -R pwrp /usr/pwrrt
 chgrp -R pwrp /usr/pwrrt

-setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_net_broadcast+eip /usr/pwrrt/exe/rt_ini
+setcap cap_sys_nice,cap_sys_boot,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_net_broadcast=eip /usr/pwrrt/exe/rt_ini
+
+# We shouldn't need any of the below file modifications but they are kept for reference in the meantime...
+# ALCM should be fine with CAP_NET_RAW
+# ProviewR should run as the user pwrp so rt_X apps are fine...?
+# Realtime priorities and schedulers use CAP_SYS_NICE
+# We also need CAP_SYS_BOOT for when one has chosen to reboot the runtime system on emergency break
+# Processes that use serial ports should also be fine since pwrp is added to dialout during postinst...
+# MODBUS is fine with CAP_NET_BIND_SERVICE

 #chmod u+s /usr/pwrrt/exe/rt_ini
 #chmod u+s /usr/pwrrt/exe/rt_rtt

--- a/src/tools/pkg/deb_x86_64/pwrsev/postinst
+++ b/src/tools/pkg/deb_x86_64/pwrsev/postinst
@@ -115,7 +115,7 @@ fi
 chown -R pwrp /usr/pwrsev
 chgrp -R pwrp /usr/pwrsev

-setcap cap_net_admin,cap_net_raw,cap_net_broadcast,cap_setpcap+eip /usr/pwrsev/exe/sev_ini
+setcap cap_sys_nice,cap_sys_boot,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_net_broadcast=eip /usr/pwrrt/exe/sev_ini

 # Source pwrp_profile in login shells
 if [ ! -e /etc/profile/pwrp_profile.sh ]; then

--- a/src/tools/pwre/src/pwre_configure.sh
+++ b/src/tools/pwre/src/pwre_configure.sh
@@ -422,6 +422,7 @@ else
    pwre_config_check_lib libasound LIBASOUND lib lib 0 "/usr/lib/libasound.so:/usr/lib/libasound.a:/usr/lib/$hwpl-linux-$gnu/libasound.so:/usr/lib64/libasound.so:/usr/lib64/libasound.a"
    pwre_config_check_lib libpthread LIBPTHREAD lib lib 0 "/usr/lib/libpthread.so:/usr/lib/libpthread.a:/usr/lib/$hwpl-linux-$gnu/libpthread.so:/usr/lib64/libpthread.so:/usr/lib64/libpthread.a"
    pwre_config_check_lib libm      LIBM     lib lib 0 "/usr/lib/libm.so:/usr/lib/libm.a:/usr/lib/$hwpl-linux-$gnu/libm.so:/usr/lib64/libm.so:/usr/lib64/libm.a"
+    pwre_config_check_lib libcap    LIBCAP   lib lib 0 "/usr/lib/$hwpl-linux-$gnu/libcap.so"
    pwre_config_check_lib libdb     LIBDB    lib db 1 "/usr/lib/libdb.so:/usr/lib/$hwpl-linux-$gnu/libdb.so:/usr/lib64/libdb-4.8.so"
    pwre_config_check_lib libdb_cxx LIBDB_CXX lib wb 1 "/usr/lib/libdb_cxx.so:/usr/lib/$hwpl-linux-$gnu/libdb_cxx.so:/usr/lib64/libdb_cxx-4.8.so"
    pwre_config_check_lib libz      LIBZ     lib lib 0 "/usr/lib/libz.so:/usr/lib/libz.a:/usr/lib/$hwpl-linux-$gnu/libz.so:/usr/lib64/libz.so:/usr64/lib/libz.a"