mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-11-03 09:01:50 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

daemon: strip all special suid/caps log from our startup code, we'll now rely on RealtimeKit for all high-priority/RT scheduling policy issues

Browse source
This commit is contained in:
Lennart Poettering 2009-06-19 17:37:18 +02:00
parent bacc5ca6f4
commit 9c438bcac6
4 changed files with 31 additions and 285 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/Makefile.am
View file

@ -114,7 +114,6 @@ EXTRA_DIST = \
modules/module-defs.h.m4 \
daemon/pulseaudio.desktop.in \
map-file \
daemon/org.pulseaudio.policy.in \
modules/alsa/mixer/profile-sets/default.conf \
modules/alsa/mixer/profile-sets/native-instruments-audio4dj.conf \
modules/alsa/mixer/profile-sets/native-instruments-audio8dj.conf \
@ -184,16 +183,6 @@ else
pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
endif
if HAVE_POLKIT
policy_in_files = daemon/org.pulseaudio.policy.in
policy_DATA = $(policy_in_files:.policy.in=.policy)
@INTLTOOL_POLICY_RULE@
pulseaudio_SOURCES += daemon/polkit.c daemon/polkit.h
pulseaudio_CFLAGS += $(POLKIT_CFLAGS)
pulseaudio_LDADD += $(POLKIT_LIBS)
endif
###################################
# Utility programs #
###################################
@ -1655,11 +1644,7 @@ module_rygel_media_server_la_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
# Some minor stuff #
###################################
suid: pulseaudio .libs/lt-pulseaudio
chown root $^
chmod u+s $^
CLEANFILES = esdcompat client.conf default.pa system.pa daemon.conf start-pulseaudio-x11 daemon/pulseaudio.desktop daemon/org.pulseaudio.policy
CLEANFILES = esdcompat client.conf default.pa system.pa daemon.conf start-pulseaudio-x11 daemon/pulseaudio.desktop
esdcompat: daemon/esdcompat.in Makefile
sed -e 's,@PACKAGE_VERSION\@,$(PACKAGE_VERSION),g' \

91
src/daemon/caps.c
View file

@ -39,6 +39,7 @@
#ifdef HAVE_SYS_CAPABILITY_H
#include <sys/capability.h>
#endif
#ifdef HAVE_SYS_PRCTL_H
#include <sys/prctl.h>
#endif
@ -51,12 +52,13 @@ int setresgid(gid_t r, gid_t e, gid_t s);
int setresuid(uid_t r, uid_t e, uid_t s);
#endif
#ifdef HAVE_GETUID
/* Drop root rights when called SUID root */
void pa_drop_root(void) {
uid_t uid = getuid();
#ifdef HAVE_GETUID
uid_t uid;
uid = getuid();
if (uid == 0 || geteuid() != 0)
return;
@ -73,90 +75,19 @@ void pa_drop_root(void) {
pa_assert_se(getuid() == uid);
pa_assert_se(geteuid() == uid);
}
#else
void pa_drop_root(void) {
}
#endif
#if defined(HAVE_SYS_CAPABILITY_H) && defined(HAVE_SYS_PRCTL_H)
/* Limit permitted capabilities set to CAPSYS_NICE */
void pa_limit_caps(void) {
cap_t caps;
cap_value_t nice_cap = CAP_SYS_NICE;
pa_assert_se(caps = cap_init());
pa_assert_se(cap_clear(caps) == 0);
pa_assert_se(cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET) == 0);
pa_assert_se(cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET) == 0);
if (cap_set_proc(caps) < 0)
/* Hmm, so we couldn't limit our caps, which probably means we
* hadn't any in the first place, so let's just make sure of
* that */
pa_drop_caps();
else
pa_log_info(_("Limited capabilities successfully to CAP_SYS_NICE."));
pa_assert_se(cap_free(caps) == 0);
pa_assert_se(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0);
}
/* Drop all capabilities, effectively becoming a normal user */
void pa_drop_caps(void) {
cap_t caps;
#ifndef __OPTIMIZE__
/* Valgrind doesn't not know set_caps, so we bypass it here -- but
* only in development builds.*/
if (pa_in_valgrind() && !pa_have_caps())
return;
#endif
#ifdef HAVE_SYS_PRCTL_H
pa_assert_se(prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == 0);
#endif
#ifdef HAVE_SYS_CAPABILITY_H
{
cap_t caps;
pa_assert_se(caps = cap_init());
pa_assert_se(cap_clear(caps) == 0);
pa_assert_se(cap_set_proc(caps) == 0);
pa_assert_se(cap_free(caps) == 0);
pa_assert_se(!pa_have_caps());
}
pa_bool_t pa_have_caps(void) {
cap_t caps;
cap_flag_value_t flag = CAP_CLEAR;
#ifdef __OPTIMIZE__
pa_assert_se(caps = cap_get_proc());
#else
if (!(caps = cap_get_proc()))
return FALSE;
}
#endif
pa_assert_se(cap_get_flag(caps, CAP_SYS_NICE, CAP_EFFECTIVE, &flag) >= 0);
pa_assert_se(cap_free(caps) == 0);
return flag == CAP_SET;
}
#else
/* NOOPs in case capabilities are not available. */
void pa_limit_caps(void) {
}
void pa_drop_caps(void) {
pa_drop_root();
}
pa_bool_t pa_have_caps(void) {
return FALSE;
}
#endif

3
src/daemon/caps.h
View file

@ -25,8 +25,5 @@
#include <pulsecore/macro.h>
void pa_drop_root(void);
void pa_drop_caps(void);
void pa_limit_caps(void);
pa_bool_t pa_have_caps(void);
#endif

193
src/daemon/main.c
View file

@ -102,7 +102,6 @@
#include "dumpmodules.h"
#include "caps.h"
#include "ltdl-bind-now.h"
#include "polkit.h"
#ifdef HAVE_LIBWRAP
/* Only one instance of these variables */
@ -381,9 +380,7 @@ int main(int argc, char *argv[]) {
pa_mainloop *mainloop = NULL;
char *s;
int r = 0, retval = 1, d = 0;
pa_bool_t suid_root, real_root;
pa_bool_t valid_pid_file = FALSE;
gid_t gid = (gid_t) -1;
pa_bool_t ltdl_init = FALSE;
int passed_fd = -1;
const char *e;
@ -426,30 +423,6 @@ int main(int argc, char *argv[]) {
}
#endif
#ifdef HAVE_GETUID
real_root = getuid() == 0;
suid_root = !real_root && geteuid() == 0;
#else
real_root = FALSE;
suid_root = FALSE;
#endif
if (!real_root) {
/* Drop all capabilities except CAP_SYS_NICE */
pa_limit_caps();
/* Drop privileges, but keep CAP_SYS_NICE */
pa_drop_root();
/* After dropping root, the effective set is reset, hence,
* let's raise it again */
pa_limit_caps();
/* When capabilities are not supported we will not be able to
* acquire RT sched anymore. But yes, that's the way it is. It
* is just too risky tun let PA run as root all the time. */
}
if ((e = getenv("PULSE_PASSED_FD"))) {
passed_fd = atoi(e);
@ -457,15 +430,14 @@ int main(int argc, char *argv[]) {
passed_fd = -1;
}
/* We might be autospawned, in which case have no idea in which
* context we have been started. Let's cleanup our execution
* context as good as possible */
pa_drop_root();
pa_close_all(passed_fd, -1);
pa_reset_sigs(-1);
pa_unblock_sigs(-1);
/* At this point, we are a normal user, possibly with CAP_NICE if
* we were started SUID. If we are started as normal root, than we
* still are normal root. */
setlocale(LC_ALL, "");
pa_init_i18n();
@ -490,150 +462,6 @@ int main(int argc, char *argv[]) {
pa_log_set_flags(PA_LOG_PRINT_TIME, PA_LOG_SET);
pa_log_set_show_backtrace(conf->log_backtrace);
pa_log_debug("Started as real root: %s, suid root: %s", pa_yes_no(real_root), pa_yes_no(suid_root));
if (!real_root && pa_have_caps()) {
#ifdef HAVE_SYS_RESOURCE_H
struct rlimit rl;
#endif
pa_bool_t allow_high_priority = FALSE, allow_realtime = FALSE;
/* Let's better not enable high prio or RT by default */
if (conf->high_priority && !allow_high_priority) {
if (pa_own_uid_in_group(PA_REALTIME_GROUP, &gid) > 0) {
pa_log_info(_("We're in the group '%s', allowing high-priority scheduling."), PA_REALTIME_GROUP);
allow_high_priority = TRUE;
}
}
if (conf->realtime_scheduling && !allow_realtime) {
if (pa_own_uid_in_group(PA_REALTIME_GROUP, &gid) > 0) {
pa_log_info(_("We're in the group '%s', allowing real-time scheduling."), PA_REALTIME_GROUP);
allow_realtime = TRUE;
}
}
#ifdef HAVE_POLKIT
if (conf->high_priority && !allow_high_priority) {
if (pa_polkit_check("org.pulseaudio.acquire-high-priority") > 0) {
pa_log_info(_("PolicyKit grants us acquire-high-priority privilege."));
allow_high_priority = TRUE;
} else
pa_log_info(_("PolicyKit refuses acquire-high-priority privilege."));
}
if (conf->realtime_scheduling && !allow_realtime) {
if (pa_polkit_check("org.pulseaudio.acquire-real-time") > 0) {
pa_log_info(_("PolicyKit grants us acquire-real-time privilege."));
allow_realtime = TRUE;
} else
pa_log_info(_("PolicyKit refuses acquire-real-time privilege."));
}
#endif
if (!allow_high_priority && !allow_realtime) {
/* OK, there's no further need to keep CAP_NICE. Hence
* let's give it up early */
pa_drop_caps();
}
#ifdef RLIMIT_RTPRIO
if (getrlimit(RLIMIT_RTPRIO, &rl) >= 0)
if (rl.rlim_cur > 0) {
pa_log_info("RLIMIT_RTPRIO is set to %u, allowing real-time scheduling.", (unsigned) rl.rlim_cur);
allow_realtime = TRUE;
}
#endif
#ifdef RLIMIT_NICE
if (getrlimit(RLIMIT_NICE, &rl) >= 0)
if (rl.rlim_cur > 20 ) {
pa_log_info("RLIMIT_NICE is set to %u, allowing high-priority scheduling.", (unsigned) rl.rlim_cur);
allow_high_priority = TRUE;
}
#endif
if ((conf->high_priority && !allow_high_priority) ||
(conf->realtime_scheduling && !allow_realtime))
pa_log_info(_("Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. However, we lack the necessary privileges:\n"
"We are not in group '%s', PolicyKit refuse to grant us the requested privileges and we have no increase RLIMIT_NICE/RLIMIT_RTPRIO resource limits.\n"
"For enabling real-time/high-priority scheduling please acquire the appropriate PolicyKit privileges, or become a member of '%s', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user."),
PA_REALTIME_GROUP, PA_REALTIME_GROUP);
if (!allow_realtime)
conf->realtime_scheduling = FALSE;
if (!allow_high_priority)
conf->high_priority = FALSE;
}
#ifdef HAVE_SYS_RESOURCE_H
/* Reset resource limits. If we are run as root (for system mode)
* this might end up increasing the limits, which is intended
* behaviour. For all other cases, i.e. started as normal user, or
* SUID root at this point we should have no CAP_SYS_RESOURCE and
* increasing the limits thus should fail. Which is, too, intended
* behaviour */
set_all_rlimits(conf);
#endif
if (conf->high_priority && !pa_can_high_priority()) {
pa_log_info(_("High-priority scheduling enabled in configuration but not allowed by policy."));
conf->high_priority = FALSE;
}
if (conf->high_priority && (conf->cmd == PA_CMD_DAEMON || conf->cmd == PA_CMD_START))
pa_raise_priority(conf->nice_level);
pa_log_debug("Can realtime: %s, can high-priority: %s", pa_yes_no(pa_can_realtime()), pa_yes_no(pa_can_high_priority()));
if (!real_root && pa_have_caps()) {
pa_bool_t drop;
drop = (conf->cmd != PA_CMD_DAEMON && conf->cmd != PA_CMD_START) || !conf->realtime_scheduling;
#ifdef RLIMIT_RTPRIO
if (!drop) {
struct rlimit rl;
/* At this point we still have CAP_NICE if we were loaded
* SUID root. If possible let's acquire RLIMIT_RTPRIO
* instead and give CAP_NICE up. */
if (getrlimit(RLIMIT_RTPRIO, &rl) >= 0) {
if (rl.rlim_cur >= 9)
drop = TRUE;
else {
rl.rlim_max = rl.rlim_cur = 9;
if (setrlimit(RLIMIT_RTPRIO, &rl) >= 0) {
pa_log_info(_("Successfully increased RLIMIT_RTPRIO"));
drop = TRUE;
} else
pa_log_warn(_("RLIMIT_RTPRIO failed: %s"), pa_cstrerror(errno));
}
}
}
#endif
if (drop) {
pa_log_info(_("Giving up CAP_NICE"));
pa_drop_caps();
suid_root = FALSE;
}
}
if (conf->realtime_scheduling && !pa_can_realtime()) {
pa_log_info(_("Real-time scheduling enabled in configuration but not allowed by policy."));
conf->realtime_scheduling = FALSE;
}
pa_log_debug("Can realtime: %s, can high-priority: %s", pa_yes_no(pa_can_realtime()), pa_yes_no(pa_can_high_priority()));
LTDL_SET_PRELOADED_SYMBOLS();
pa_ltdl_init();
ltdl_init = TRUE;
@ -718,9 +546,9 @@ int main(int argc, char *argv[]) {
pa_assert(conf->cmd == PA_CMD_DAEMON || conf->cmd == PA_CMD_START);
}
if (real_root && !conf->system_instance)
if (getuid() == 0 && !conf->system_instance)
pa_log_warn(_("This program is not intended to be run as root (unless --system is specified)."));
else if (!real_root && conf->system_instance) {
else if (getuid() != 0 && conf->system_instance) {
pa_log(_("Root privileges required."));
goto finish;
}
@ -866,6 +694,13 @@ int main(int argc, char *argv[]) {
pa_assert_se(chdir("/") == 0);
umask(0022);
#ifdef HAVE_SYS_RESOURCE_H
set_all_rlimits(conf);
#endif
pa_rtclock_hrtimer_enable();
pa_raise_priority(conf->nice_level);
if (conf->system_instance)
if (change_user() < 0)
goto finish;
@ -962,8 +797,6 @@ int main(int argc, char *argv[]) {
else
pa_log_info(_("Dude, your kernel stinks! The chef's recommendation today is Linux with high-resolution timers enabled!"));
pa_rtclock_hrtimer_enable();
#ifdef SIGRTMIN
/* Valgrind uses SIGRTMAX. To easy debugging we don't use it here */
pa_rtsig_configure(SIGRTMIN, SIGRTMAX-1);