From 8b53f97c1ca40d0837f25e20cb0a77f10aea066c Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 2 Sep 2024 17:02:02 +0000 Subject: [PATCH] bunpen: bind the different PR_CAP* prctl syscalls see 'man prctl' for additional calls, some of which were omitted because i don't expect to need them --- pkgs/additional/bunpen/rt/ext/capabilities.ha | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/pkgs/additional/bunpen/rt/ext/capabilities.ha b/pkgs/additional/bunpen/rt/ext/capabilities.ha index 19f7995e0..1aea046c3 100644 --- a/pkgs/additional/bunpen/rt/ext/capabilities.ha +++ b/pkgs/additional/bunpen/rt/ext/capabilities.ha @@ -292,6 +292,9 @@ export fn no_new_privs() (void | rt::errno) = { rt::prctl(rt::PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)?; }; +// set the Effective, Permitted, and Inheritable capability vectors. +// this does NOT effect the Ambient or Bounding capability sets; +// see PR_CAP_AMBIENT and PR_CAPBSET_DROP for that. export fn capset(eff: caps, prm: caps, inh: caps) (void | rt::errno) = { let hdr = user_cap_header { version = _LINUX_CAPABILITY_VERSION_3, @@ -320,3 +323,22 @@ export fn capset(eff: caps, prm: caps, inh: caps) (void | rt::errno) = { ]; syscall(rt::SYS_capset, &hdr: uintptr, &data: uintptr)?; }; + +// add the provided capability to the ambient set. +// the capability must already be in the permitted and inheritable sets (see `capset`). +// will fail if PR_CAP_AMBIENT_LOWER secure bit has been set. +export fn cap_ambient_raise(c: cap) (void | rt::errno) = { + rt::prctl(rt::PR_CAP_AMBIENT, rt::PR_CAP_AMBIENT_RAISE, c: u64, 0, 0)?; +}; + +// remove the provided capability from the ambient set. +export fn cap_ambient_lower(c: cap) (void | rt::errno) = { + rt::prctl(rt::PR_CAP_AMBIENT, rt::PR_CAP_AMBIENT_LOWER, c: u64, 0, 0)?; +}; + +// drop the provided capability from the capability bounding set. +// the effect is to make it so this thread generally can't acquire that capability +// (combine that with NO_NEW_PRIVS to be certain). +export fn capbset_drop(c: cap) (void | rt::errno) = { + rt::prctl(rt::PR_CAPBSET_DROP, c: u64, 0, 0, 0)?; +};