aboutsummaryrefslogtreecommitdiff
path: root/qemu-bridge-helper.c
diff options
context:
space:
mode:
Diffstat (limited to 'qemu-bridge-helper.c')
-rw-r--r--qemu-bridge-helper.c36
1 files changed, 36 insertions, 0 deletions
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 01eeb38c58..aec5008e22 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -39,6 +39,10 @@
#include "net/tap-linux.h"
+#ifdef CONFIG_LIBCAP
+#include <cap-ng.h>
+#endif
+
#define DEFAULT_ACL_FILE CONFIG_QEMU_CONFDIR "/bridge.conf"
enum {
@@ -193,6 +197,27 @@ static int send_fd(int c, int fd)
return sendmsg(c, &msg, 0);
}
+#ifdef CONFIG_LIBCAP
+static int drop_privileges(void)
+{
+ /* clear all capabilities */
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ CAP_NET_ADMIN) < 0) {
+ return -1;
+ }
+
+ /* change to calling user's real uid and gid, retaining supplemental
+ * groups and CAP_NET_ADMIN */
+ if (capng_change_id(getuid(), getgid(), CAPNG_CLEAR_BOUNDING)) {
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
int main(int argc, char **argv)
{
struct ifreq ifr;
@@ -207,6 +232,17 @@ int main(int argc, char **argv)
int access_allowed, access_denied;
int ret = EXIT_SUCCESS;
+#ifdef CONFIG_LIBCAP
+ /* if we're run from an suid binary, immediately drop privileges preserving
+ * cap_net_admin */
+ if (geteuid() == 0 && getuid() != geteuid()) {
+ if (drop_privileges() == -1) {
+ fprintf(stderr, "failed to drop privileges\n");
+ return 1;
+ }
+ }
+#endif
+
/* parse arguments */
for (index = 1; index < argc; index++) {
if (strcmp(argv[index], "--use-vnet") == 0) {