ApacheTrafficServer: ink_cap.h Source File

Go to the documentation of this file.
00001 /** @file
00002 
00003   POSIX Capability related utilities.
00004 
00005   @section license License
00006 
00007   Licensed to the Apache Software Foundation (ASF) under one
00008   or more contributor license agreements.  See the NOTICE file
00009   distributed with this work for additional information
00010   regarding copyright ownership.  The ASF licenses this file
00011   to you under the Apache License, Version 2.0 (the
00012   "License"); you may not use this file except in compliance
00013   with the License.  You may obtain a copy of the License at
00014 
00015       http://www.apache.org/licenses/LICENSE-2.0
00016 
00017   Unless required by applicable law or agreed to in writing, software
00018   distributed under the License is distributed on an "AS IS" BASIS,
00019   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00020   See the License for the specific language governing permissions and
00021   limitations under the License.
00022 
00023  */
00024 #if !defined (_ink_cap_h_)
00025 #define _ink_cap_h_
00026 #include "ink_mutex.h"
00027 
00028 /// Generate a debug message with the current capabilities for the process.
00029 extern void DebugCapabilities(
00030   char const* tag ///< Debug message tag.
00031 );
00032 /// Set capabilities to persist across change of user id.
00033 /// @return 0 on success, non-zero otherwise.
00034 extern int PreserveCapabilities();
00035 /// Initialize and restrict the capabilities of a thread.
00036 /// @return 0 on success, non-zero otherwise.
00037 extern int RestrictCapabilities();
00038 
00039 /** Control generate of core file on crash.
00040     @a flag sets whether core files are enabled on crash.
00041     @return 0 on success, @c errno on failre.
00042  */
00043 extern int EnableCoreFile(
00044   bool flag ///< New enable state.
00045 );
00046 
00047 
00048 
00049 #if TS_USE_POSIX_CAP
00050 bool elevateFileAccess(bool);
00051 #else
00052 bool restoreRootPriv(uid_t *old_euid = NULL);
00053 bool removeRootPriv(uid_t euid);
00054 #endif
00055 
00056 
00057 class ElevateAccess {
00058 public:
00059   ElevateAccess(const bool state): elevated(false), saved_uid(0) {
00060     if (state == true) {
00061       elevate();
00062     }
00063   }
00064 
00065   void elevate() {
00066 #if TS_USE_POSIX_CAP
00067     elevateFileAccess(true);
00068 #else
00069     // Since we are setting a process-wide credential, we have to block any other thread
00070     // attempting to elevate until this one demotes.
00071     restoreRootPriv(&saved_uid);
00072     ink_mutex_acquire(&lock);
00073 #endif
00074     elevated = true;
00075   }
00076 
00077   void demote() {
00078 #if TS_USE_POSIX_CAP
00079     elevateFileAccess(false);
00080 #else
00081     removeRootPriv(saved_uid);
00082     ink_mutex_release(&lock);
00083 #endif
00084     elevated = false;
00085   }
00086 
00087   ~ElevateAccess() {
00088     if (elevated == true) {
00089       demote();
00090     }
00091   }
00092 
00093 private:
00094   bool elevated;
00095   uid_t saved_uid;
00096 #if !TS_USE_POSIX_CAP
00097   static ink_mutex lock; // only one thread at a time can elevate
00098 #endif
00099 };
00100 
00101 #endif