when called with the setid bit change euid to uid sooner to make sure that we can access our own files even when we dropped most capabilities. (Closes #21)

git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1455 fefdeb5f-60dc-0310-8127-8f9354f1896f
2025-11-03 09:01:50 -05:00 · 2007-05-25 20:35:30 +00:00 · 2007-05-25 20:35:30 +00:00 · 4d88fcd59d
commit 4d88fcd59d
parent 65e8761683
3 changed files with 66 additions and 32 deletions
--- a/src/pulsecore/core-util.c
+++ b/src/pulsecore/core-util.c
@ -51,6 +51,10 @@
 #include <sys/resource.h>
 #endif

+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
 #ifdef HAVE_PTHREAD
 #include <pthread.h>
 #endif
@ -481,7 +485,23 @@ char *pa_strlcpy(char *b, const char *s, size_t l) {
 sensible: set the nice level to -15 and enable realtime scheduling if
 supported.*/
 void pa_raise_priority(void) {
+#if defined(HAVE_SYS_CAPABILITY_H)
+    cap_t caps;

+    /* Temporarily acquire CAP_SYS_NICE in the effective set */
+    if ((caps = cap_get_proc())) {
+        cap_t caps_new;
+        cap_value_t nice_cap = CAP_SYS_NICE;
+        
+        if ((caps_new = cap_dup(caps))) {
+            cap_set_flag(caps_new, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET);
+            cap_set_flag(caps_new, CAP_PERMITTED, 1, &nice_cap, CAP_SET);
+            cap_set_proc(caps_new);
+            cap_free(caps_new);
+        }
+    }
+#endif
+    
 #ifdef HAVE_SYS_RESOURCE_H
    if (setpriority(PRIO_PROCESS, 0, NICE_LEVEL) < 0)
        pa_log_warn("setpriority(): %s", pa_cstrerror(errno));
@ -495,13 +515,13 @@ void pa_raise_priority(void) {

        if (sched_getparam(0, &sp) < 0) {
            pa_log("sched_getparam(): %s", pa_cstrerror(errno));
-            return;
+            goto fail;
        }

        sp.sched_priority = 1;
        if (sched_setscheduler(0, SCHED_FIFO, &sp) < 0) {
            pa_log_warn("sched_setscheduler(): %s", pa_cstrerror(errno));
-            return;
+            goto fail;
        }

        pa_log_info("Successfully enabled SCHED_FIFO scheduling.");
@ -514,6 +534,16 @@ void pa_raise_priority(void) {
    else
        pa_log_info("Successfully gained high priority class.");
 #endif
+
+fail:
+
+#if defined(HAVE_SYS_CAPABILITY_H)
+    if (caps) {
+        /* Restore original caps */
+        cap_set_proc(caps);
+        cap_free(caps);
+    }
+#endif
 }

 /* Reset the priority to normal, inverting the changes made by pa_raise_priority() */