Mercurial > dovecot > core-2.2
changeset 22826:44e84dd9b363
lib: Add restrict_access_get/set_dumpable
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Thu, 08 Feb 2018 13:03:37 +0200 |
parents | 2df6a22a5ad1 |
children | ce305d3d9b52 |
files | src/lib/restrict-access.c src/lib/restrict-access.h |
diffstat | 2 files changed, 29 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib/restrict-access.c Thu Feb 08 13:01:50 2018 +0200 +++ b/src/lib/restrict-access.c Thu Feb 08 13:03:37 2018 +0200 @@ -477,14 +477,30 @@ return chroot_dir; } -void restrict_access_allow_coredumps(bool allow ATTR_UNUSED) +void restrict_access_set_dumpable(bool allow ATTR_UNUSED) +{ +#ifdef HAVE_PR_SET_DUMPABLE + if (prctl(PR_SET_DUMPABLE, allow ? 1 : 0, 0, 0, 0) < 0) + i_error("prctl(PR_SET_DUMPABLE) failed: %m"); +#endif +} + +bool restrict_access_get_dumpable(void) { #ifdef HAVE_PR_SET_DUMPABLE + bool allow = FALSE; + if (prctl(PR_GET_DUMPABLE, &allow, 0, 0, 0) < 0) + i_error("prctl(PR_GET_DUMPABLE) failed: %m"); + return allow; +#endif + return TRUE; +} + +void restrict_access_allow_coredumps(bool allow) +{ if (getenv("PR_SET_DUMPABLE") != NULL) { - if (prctl(PR_SET_DUMPABLE, allow ? 1 : 0, 0, 0, 0) < 0) - i_error("prctl(PR_SET_DUMPABLE) failed: %m"); + restrict_access_set_dumpable(allow); } -#endif } int restrict_access_use_priv_gid(void)
--- a/src/lib/restrict-access.h Thu Feb 08 13:01:50 2018 +0200 +++ b/src/lib/restrict-access.h Thu Feb 08 13:03:37 2018 +0200 @@ -57,6 +57,15 @@ */ void restrict_access_allow_coredumps(bool allow); +/* Sets process dumpable true or false. Setting this true allows core dumping, + reading /proc/self/io, attaching with PTRACE_ATTACH, and also changes + ownership of /proc/[pid] directory. */ +void restrict_access_set_dumpable(bool allow); + +/* Gets process dumpability, returns TRUE if not supported, because + we then assume that constraint is not present. */ +bool restrict_access_get_dumpable(void); + /* If privileged_gid was set, these functions can be used to temporarily gain access to the group. */ int restrict_access_use_priv_gid(void);