mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-10-31 22:25:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

allow high priority scheduling only for users in group "realtime"

Browse source 
git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@238 fefdeb5f-60dc-0310-8127-8f9354f1896f
This commit is contained in:
Lennart Poettering 2004-09-23 22:42:49 +00:00
parent 8176b3a1ba
commit ed36241085
4 changed files with 96 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

26
polyp/caps.c
View file

@ -36,14 +36,19 @@
#include "caps.h" #include "caps.h"
void pa_drop_root(void) { void pa_drop_root(void) {
if (getuid() != 0 && geteuid() == 0) { uid_t uid = getuid();
pa_log(__FILE__": Started SUID root, dropping root rights.\n");
setuid(getuid()); if (uid == 0 || geteuid() != 0)
seteuid(getuid()); return;
}
pa_log(__FILE__": dropping root rights.\n");
setuid(uid);
seteuid(uid);
} }
#ifdef HAVE_SYS_CAPABILITY_H #ifdef HAVE_SYS_CAPABILITY_H
int pa_limit_caps(void) { int pa_limit_caps(void) {
int r = -1; int r = -1;
cap_t caps; cap_t caps;
@ -53,14 +58,15 @@ int pa_limit_caps(void) {
assert(caps); assert(caps);
cap_clear(caps); cap_clear(caps);
cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET); cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET); cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET);
if (cap_set_proc(caps) < 0) if (cap_set_proc(caps) < 0)
goto fail; goto fail;
pa_log(__FILE__": Started SUID root, capabilities limited.\n"); pa_log(__FILE__": dropped capabilities successfully.\n");
r = 0; r = 0;
fail: fail:
@ -78,10 +84,10 @@ int pa_drop_caps(void) {
cap_clear(caps); cap_clear(caps);
if (cap_set_proc(caps) < 0) if (cap_set_proc(caps) < 0) {
pa_log(__FILE__": failed to drop capabilities: %s\n", strerror(errno));
goto fail; goto fail;
}
pa_drop_root();
r = 0; r = 0;

26
polyp/main.c
View file

@ -49,8 +49,6 @@
#include "dumpmodules.h" #include "dumpmodules.h"
#include "caps.h" #include "caps.h"
static struct pa_mainloop *mainloop;
static void signal_callback(struct pa_mainloop_api*m, struct pa_signal_event *e, int sig, void *userdata) { static void signal_callback(struct pa_mainloop_api*m, struct pa_signal_event *e, int sig, void *userdata) {
pa_log(__FILE__": Got signal %s.\n", pa_strsignal(sig)); pa_log(__FILE__": Got signal %s.\n", pa_strsignal(sig));
@ -84,22 +82,33 @@ int main(int argc, char *argv[]) {
struct pa_core *c; struct pa_core *c;
struct pa_strbuf *buf = NULL; struct pa_strbuf *buf = NULL;
struct pa_daemon_conf *conf; struct pa_daemon_conf *conf;
struct pa_mainloop *mainloop;
char *s; char *s;
int r, retval = 1, d = 0; int r, retval = 1, d = 0;
int daemon_pipe[2] = { -1, -1 }; int daemon_pipe[2] = { -1, -1 };
gid_t gid = (gid_t) -1;
int suid_root;
pa_limit_caps(); pa_limit_caps();
suid_root = getuid() != 0 && geteuid() == 0;
if (suid_root && (pa_uid_in_group("realtime", &gid) <= 0 || gid >= 1000)) {
pa_log(__FILE__": WARNING: called SUID root, but not in group 'realtime'.\n");
pa_drop_root();
}
r = lt_dlinit(); r = lt_dlinit();
assert(r == 0); assert(r == 0);
pa_log_set_ident("polypaudio"); pa_log_set_ident("polypaudio");
conf = pa_daemon_conf_new(); conf = pa_daemon_conf_new();
if (pa_daemon_conf_load(conf, NULL) < 0) if (pa_daemon_conf_load(conf, NULL) < 0)
goto finish; goto finish;
if (pa_daemon_conf_env(conf) < 0) if (pa_daemon_conf_env(conf) < 0)
goto finish; goto finish;
@ -107,13 +116,16 @@ int main(int argc, char *argv[]) {
pa_log(__FILE__": failed to parse command line.\n"); pa_log(__FILE__": failed to parse command line.\n");
goto finish; goto finish;
} }
pa_log_set_target(conf->auto_log_target ? PA_LOG_STDERR : conf->log_target, NULL); pa_log_set_target(conf->auto_log_target ? PA_LOG_STDERR : conf->log_target, NULL);
if (conf->high_priority && conf->cmd == PA_CMD_DAEMON) if (conf->high_priority && conf->cmd == PA_CMD_DAEMON)
pa_raise_priority(); pa_raise_priority();
pa_drop_caps(); pa_drop_caps();
if (suid_root)
pa_drop_root();
if (conf->dl_search_path) if (conf->dl_search_path)
lt_dlsetsearchpath(conf->dl_search_path); lt_dlsetsearchpath(conf->dl_search_path);

64
polyp/util.c
View file

@ -41,11 +41,8 @@
#include <sched.h> #include <sched.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <limits.h> #include <limits.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h> #include <unistd.h>
#include <grp.h>
#include <samplerate.h> #include <samplerate.h>
@ -444,3 +441,62 @@ int pa_parse_resample_method(const char *string) {
else else
return -1; return -1;
} }
static int is_group(gid_t gid, const char *name) {
struct group group, *result = NULL;
long n = sysconf(_SC_GETGR_R_SIZE_MAX);
void *data;
int r = -1;
assert(n > 0);
data = pa_xmalloc(n);
if (getgrgid_r(gid, &group, data, n, &result) < 0 || !result) {
pa_log(__FILE__ ": getgrgid_r(%u) failed: %s\n", gid, strerror(errno));
goto finish;
}
r = strcmp(name, result->gr_name) == 0;
finish:
pa_xfree(data);
return r;
}
int pa_uid_in_group(const char *name, gid_t *gid) {
gid_t *gids, tgid;
long n = sysconf(_SC_NGROUPS_MAX);
int r = -1, i;
assert(n > 0);
gids = pa_xmalloc(sizeof(gid_t)*n);
if ((n = getgroups(n, gids)) < 0) {
pa_log(__FILE__": getgroups() failed: %s\n", strerror(errno));
goto finish;
}
for (i = 0; i < n; i++) {
if (is_group(gids[i], name) > 0) {
*gid = gids[i];
r = 1;
goto finish;
}
}
if (is_group(tgid = getgid(), name) > 0) {
*gid = tgid;
r = 1;
goto finish;
}
r = 0;
finish:
pa_xfree(gids);
return r;
}

1
polyp/util.h
View file

@ -66,5 +66,6 @@ const char *pa_strsignal(int sig);
int pa_parse_resample_method(const char *string); int pa_parse_resample_method(const char *string);
int pa_uid_in_group(const char *name, gid_t *gid);
#endif #endif