From 4d88fcd59da84ac4f09113855c8f15384a4e05c3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 25 May 2007 20:35:30 +0000
Subject: when called with the setid bit change euid to uid sooner to make sure
 that we can access our own files even when we dropped most capabilities.
 (Closes #21)

git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1455 fefdeb5f-60dc-0310-8127-8f9354f1896f
---
 src/pulsecore/core-util.c | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

(limited to 'src/pulsecore/core-util.c')

diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c
index cc0fb205..480ac3b7 100644
--- a/src/pulsecore/core-util.c
+++ b/src/pulsecore/core-util.c
@@ -51,6 +51,10 @@
 #include <sys/resource.h>
 #endif
 
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
 #ifdef HAVE_PTHREAD
 #include <pthread.h>
 #endif
@@ -481,7 +485,23 @@ char *pa_strlcpy(char *b, const char *s, size_t l) {
 sensible: set the nice level to -15 and enable realtime scheduling if
 supported.*/
 void pa_raise_priority(void) {
-
+#if defined(HAVE_SYS_CAPABILITY_H)
+    cap_t caps;
+
+    /* Temporarily acquire CAP_SYS_NICE in the effective set */
+    if ((caps = cap_get_proc())) {
+        cap_t caps_new;
+        cap_value_t nice_cap = CAP_SYS_NICE;
+        
+        if ((caps_new = cap_dup(caps))) {
+            cap_set_flag(caps_new, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET);
+            cap_set_flag(caps_new, CAP_PERMITTED, 1, &nice_cap, CAP_SET);
+            cap_set_proc(caps_new);
+            cap_free(caps_new);
+        }
+    }
+#endif
+    
 #ifdef HAVE_SYS_RESOURCE_H
     if (setpriority(PRIO_PROCESS, 0, NICE_LEVEL) < 0)
         pa_log_warn("setpriority(): %s", pa_cstrerror(errno));
@@ -495,13 +515,13 @@ void pa_raise_priority(void) {
 
         if (sched_getparam(0, &sp) < 0) {
             pa_log("sched_getparam(): %s", pa_cstrerror(errno));
-            return;
+            goto fail;
         }
 
         sp.sched_priority = 1;
         if (sched_setscheduler(0, SCHED_FIFO, &sp) < 0) {
             pa_log_warn("sched_setscheduler(): %s", pa_cstrerror(errno));
-            return;
+            goto fail;
         }
 
         pa_log_info("Successfully enabled SCHED_FIFO scheduling.");
@@ -514,6 +534,16 @@ void pa_raise_priority(void) {
     else
         pa_log_info("Successfully gained high priority class.");
 #endif
+
+fail:
+
+#if defined(HAVE_SYS_CAPABILITY_H)
+    if (caps) {
+        /* Restore original caps */
+        cap_set_proc(caps);
+        cap_free(caps);
+    }
+#endif
 }
 
 /* Reset the priority to normal, inverting the changes made by pa_raise_priority() */
-- 
cgit