Allow staprun to run on kernels without capabilities configured.

diff --git a/runtime/staprun/ChangeLog b/runtime/staprun/ChangeLog
index e2da236e803e5d8cc703bdcf88cff45ab044fb4f..f1abd7363f1973b3f4b56407d9d98e08e20e3e61 100644 (file)
--- a/runtime/staprun/ChangeLog
+++ b/runtime/staprun/ChangeLog
@@ -1,5 +1,10 @@
 2008-04-22  Martin Hunt  <hunt@redhat.com>
 
+       * cap.c (init_cap): Detect capabilities failure and
+       run with them disabled.
+       
+2008-04-22  Martin Hunt  <hunt@redhat.com>
+       
        * mainloop.c (send_request): Move here from common.c
        staprun no longer send any messages.
 

diff --git a/runtime/staprun/cap.c b/runtime/staprun/cap.c
index 6f22dfc94919c2b3956e2ea420f8bdee29af0190..6ac6701f3a2cd85e6b49f76862033ecfe9bb7ddb 100644 (file)
--- a/runtime/staprun/cap.c
+++ b/runtime/staprun/cap.c
@@ -23,6 +23,8 @@
 #include "staprun.h"
 #include <sys/prctl.h>
 
+static int _stp_no_caps = 0;
+
 /* like perror, but exits */
 #define ferror(msg) {                                            \
                _perr(msg);                                       \
@@ -54,10 +56,10 @@
  * CAP_CHOWN - allows chown
  */
 
-int init_cap(void)
+void init_cap(void)
 {
        cap_t caps = cap_init();
-       cap_value_t capv[] = {CAP_SYS_MODULE, CAP_SYS_ADMIN, CAP_SYS_NICE, CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE};
+       cap_value_t capv[] = { CAP_SYS_MODULE, CAP_SYS_ADMIN, CAP_SYS_NICE, CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE };
        const int numcaps = sizeof(capv) / sizeof(capv[0]);
        uid_t uid = getuid();
        gid_t gid = getgid();
@@ -69,8 +71,11 @@ int init_cap(void)
        if (cap_set_flag(caps, CAP_PERMITTED, numcaps, capv, CAP_SET) < 0)
                ferror("cap_set_flag");
 
-       if (cap_set_proc(caps) < 0)
-               ferror("cap_set_proc");
+       if (cap_set_proc(caps) < 0) {
+               dbug(1, "Setting capabilities failed. Capabilities disabled.\n");
+               _stp_no_caps = 1;
+               return;
+       }
 
        cap_free(caps);
 
@@ -82,8 +87,6 @@ int init_cap(void)
 
        if (setresgid(gid, gid, gid) < 0)
                ferror("setresgid");
-
-       return 1;
 }
 
 void print_cap(char *text)
@@ -97,19 +100,18 @@ void print_cap(char *text)
                perr("cap_get_proc");
                return;
        }
-       
+
        getresuid(&uid, &euid, &suid);
        getresgid(&gid, &egid, &sgid);
 
        printf("***** %s\n", text);
 
-       if ((p=prctl(PR_GET_KEEPCAPS, 0, 0, 0, 0)) < 0)
+       if ((p = prctl(PR_GET_KEEPCAPS, 0, 0, 0, 0)) < 0)
                perr("Couldn't get PR_SET_KEEPCAPS flag value");
-       else 
+       else
                printf("KEEPCAPS: %d\n", p);
 
-       printf("uid: %d, euid: %d, suid: %d\ngid: %d. egid: %d, sgid: %d\n", 
-              uid, euid, suid, gid, egid, sgid );
+       printf("uid: %d, euid: %d, suid: %d\ngid: %d. egid: %d, sgid: %d\n", uid, euid, suid, gid, egid, sgid);
        printf("Caps: %s\n", cap_to_text(caps, NULL));
        cap_free(caps);
        printf("*****\n\n");
@@ -121,38 +123,44 @@ void print_cap(char *text)
  */
 void drop_cap(cap_value_t cap)
 {
-       cap_t caps = cap_get_proc();
-       if (caps == NULL)
-               ferror("cap_get_proc failed");
-       if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_CLEAR) < 0)
-               ferror("Could not clear effective capabilities");
-       if (cap_set_proc(caps) < 0)
-               ferror("Could not apply capability set");
-       cap_free(caps);
+       if (_stp_no_caps == 0) {
+               cap_t caps = cap_get_proc();
+               if (caps == NULL)
+                       ferror("cap_get_proc failed");
+               if (cap_set_flag(caps, CAP_PERMITTED, 1, &cap, CAP_CLEAR) < 0)
+                       ferror("Could not clear effective capabilities");
+               if (cap_set_proc(caps) < 0)
+                       ferror("Could not apply capability set");
+               cap_free(caps);
+       }
 }
 
 /* add_cap() adds a permitted capability to the effective set. */
 void add_cap(cap_value_t cap)
 {
-       cap_t caps = cap_get_proc();
-       if (caps == NULL)
-               ferror("cap_get_proc failed");
-       if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) < 0)
-               ferror("Could not set effective capabilities");
-       if (cap_set_proc(caps) < 0)
-               ferror("Could not apply capability set");
-       cap_free(caps);
+       if (_stp_no_caps == 0) {
+               cap_t caps = cap_get_proc();
+               if (caps == NULL)
+                       ferror("cap_get_proc failed");
+               if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_SET) < 0)
+                       ferror("Could not set effective capabilities");
+               if (cap_set_proc(caps) < 0)
+                       ferror("Could not apply capability set");
+               cap_free(caps);
+       }
 }
 
 /* del_cap() deletes a permitted capability from the effective set. */
 void del_cap(cap_value_t cap)
 {
-       cap_t caps = cap_get_proc();
-       if (caps == NULL)
-               ferror("cap_get_proc failed");
-       if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR) < 0)
-               ferror("Could not clear effective capabilities");
-       if (cap_set_proc(caps) < 0)
-               ferror("Could not apply capability set");
-       cap_free(caps);
+       if (_stp_no_caps == 0) {
+               cap_t caps = cap_get_proc();
+               if (caps == NULL)
+                       ferror("cap_get_proc failed");
+               if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, CAP_CLEAR) < 0)
+                       ferror("Could not clear effective capabilities");
+               if (cap_set_proc(caps) < 0)
+                       ferror("Could not apply capability set");
+               cap_free(caps);
+       }
 }

diff --git a/runtime/staprun/common.c b/runtime/staprun/common.c
index 2ae1d8e4a1e035782724fc07197804ce9abb597e..f8fc418c87568ff9e1118206e6bd64e711010da3 100644 (file)
--- a/runtime/staprun/common.c
+++ b/runtime/staprun/common.c
@@ -135,7 +135,7 @@ void usage(char *prog)
        err("                That value will be per-cpu in bulk mode.\n");
        err("-L              Load module and start probes, then detach.\n");
        err("-A              Attach to loaded systemtap module.\n");
-       err("-d modulename   Delete a module.  Only detached or unused modules\n");
+       err("-d              Delete a module.  Only detached or unused modules\n");
        err("                the user has permission to access will be deleted. Use \"*\"\n");
        err("                (quoted) to delete all unused modules.\n");
        err("MODULE can be either a module name or a module path.  If a\n");

diff --git a/runtime/staprun/staprun.c b/runtime/staprun/staprun.c
index f9ca8e457ff20b9fe6fb3d1bcbf169dd0c6f9ace..ee9bdc7bc2677fac8bf0a718911397d326304f65 100644 (file)
--- a/runtime/staprun/staprun.c
+++ b/runtime/staprun/staprun.c
@@ -260,9 +260,8 @@ int main(int argc, char **argv)
                exit(1);
        }
 
-       if (!init_cap())
-               exit(1);
-
+       init_cap();
+               
        if (check_permissions() != 1)
                usage(argv[0]);
 

diff --git a/runtime/staprun/staprun.h b/runtime/staprun/staprun.h
index 6308d302f862dd78e610a04b41f4ad18101cad7f..60bab39199c9ae6bb1ee3aafa85cadf45e051da8 100644 (file)
--- a/runtime/staprun/staprun.h
+++ b/runtime/staprun/staprun.h
@@ -126,7 +126,7 @@ void close_oldrelayfs(int);
 void setup_signals(void);
 /* cap.c */
 void print_cap(char *text);
-int init_cap(void);
+void init_cap(void);
 void add_cap(cap_value_t cap);
 void del_cap(cap_value_t cap);
 void drop_cap(cap_value_t cap);

diff --git a/staprun.8.in b/staprun.8.in
index 90d755a77dbd9c2fe4eead320f89465616fe320c..679dda0f558706a272c3181430016bbbdd3986ea 100644 (file)
--- a/staprun.8.in
+++ b/staprun.8.in
@@ -69,7 +69,7 @@ option.
 .B \-A
 Attach to loaded systemtap module.
 .TP
-.B \-d MODULENAME
+.B \-d
 Delete a module.  Only detached or unused modules
 the user has permission to access will be deleted. Use "*"
 (quoted) to delete all unused modules.