Remove libcap support
This is simply a false sense of security, and is worse than just using setuid. CAP_SYS_ADMIN is an extremely serious capability that is effectively as powerful as root. It also required users to be in the input group, which allows any process to keylog the entire system.
This commit is contained in:
parent
98d949718c
commit
906c0766df
|
@ -2,7 +2,6 @@ image: alpine/edge
|
||||||
packages:
|
packages:
|
||||||
- eudev-dev
|
- eudev-dev
|
||||||
- ffmpeg-dev
|
- ffmpeg-dev
|
||||||
- libcap-dev
|
|
||||||
- libinput-dev
|
- libinput-dev
|
||||||
- libxkbcommon-dev
|
- libxkbcommon-dev
|
||||||
- mesa-dev
|
- mesa-dev
|
||||||
|
|
|
@ -2,7 +2,6 @@ image: archlinux
|
||||||
packages:
|
packages:
|
||||||
- clang
|
- clang
|
||||||
- ffmpeg
|
- ffmpeg
|
||||||
- libcap
|
|
||||||
- libinput
|
- libinput
|
||||||
- libxkbcommon
|
- libxkbcommon
|
||||||
- mesa
|
- mesa
|
||||||
|
|
|
@ -23,5 +23,5 @@ sources:
|
||||||
tasks:
|
tasks:
|
||||||
- wlroots: |
|
- wlroots: |
|
||||||
cd wlroots
|
cd wlroots
|
||||||
meson build -Dauto_features=enabled -Dlogind=disabled -Dlibcap=disabled
|
meson build -Dauto_features=enabled -Dlogind=disabled
|
||||||
ninja -C build
|
ninja -C build
|
||||||
|
|
|
@ -55,7 +55,6 @@ Install dependencies:
|
||||||
* pixman
|
* pixman
|
||||||
* systemd (optional, for logind support)
|
* systemd (optional, for logind support)
|
||||||
* elogind (optional, for logind support on systems without systemd)
|
* elogind (optional, for logind support on systems without systemd)
|
||||||
* libcap (optional, for capability support)
|
|
||||||
|
|
||||||
If you choose to enable X11 support:
|
If you choose to enable X11 support:
|
||||||
|
|
||||||
|
|
|
@ -24,23 +24,6 @@
|
||||||
|
|
||||||
enum { DRM_MAJOR = 226 };
|
enum { DRM_MAJOR = 226 };
|
||||||
|
|
||||||
#if WLR_HAS_LIBCAP
|
|
||||||
#include <sys/capability.h>
|
|
||||||
|
|
||||||
static bool have_permissions(void) {
|
|
||||||
cap_t cap = cap_get_proc();
|
|
||||||
cap_flag_value_t val;
|
|
||||||
|
|
||||||
if (!cap || cap_get_flag(cap, CAP_SYS_ADMIN, CAP_PERMITTED, &val) || val != CAP_SET) {
|
|
||||||
wlr_log(WLR_ERROR, "Do not have CAP_SYS_ADMIN; cannot become DRM master");
|
|
||||||
cap_free(cap);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
cap_free(cap);
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
static bool have_permissions(void) {
|
static bool have_permissions(void) {
|
||||||
#ifdef __linux__
|
#ifdef __linux__
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0) {
|
||||||
|
@ -50,7 +33,6 @@ static bool have_permissions(void) {
|
||||||
#endif
|
#endif
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
static void send_msg(int sock, int fd, void *buf, size_t buf_len) {
|
static void send_msg(int sock, int fd, void *buf, size_t buf_len) {
|
||||||
char control[CMSG_SPACE(sizeof(fd))] = {0};
|
char control[CMSG_SPACE(sizeof(fd))] = {0};
|
||||||
|
|
|
@ -62,23 +62,3 @@ if logind_found
|
||||||
wlr_files += files('logind.c')
|
wlr_files += files('logind.c')
|
||||||
wlr_deps += logind
|
wlr_deps += logind
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# libcap
|
|
||||||
|
|
||||||
msg = []
|
|
||||||
if get_option('libcap').enabled()
|
|
||||||
msg += 'Install "libcap" or pass "-Dlibcap=disabled".'
|
|
||||||
endif
|
|
||||||
if not get_option('libcap').disabled()
|
|
||||||
msg += 'Required for POSIX capability support (Not needed if using logind).'
|
|
||||||
endif
|
|
||||||
|
|
||||||
libcap = dependency('libcap',
|
|
||||||
required: get_option('libcap'),
|
|
||||||
not_found_message: '\n'.join(msg),
|
|
||||||
)
|
|
||||||
if libcap.found()
|
|
||||||
conf_data.set10('WLR_HAS_LIBCAP', true)
|
|
||||||
wlr_deps += libcap
|
|
||||||
endif
|
|
||||||
|
|
||||||
|
|
|
@ -80,7 +80,6 @@ else
|
||||||
endif
|
endif
|
||||||
|
|
||||||
conf_data = configuration_data()
|
conf_data = configuration_data()
|
||||||
conf_data.set10('WLR_HAS_LIBCAP', false)
|
|
||||||
conf_data.set10('WLR_HAS_SYSTEMD', false)
|
conf_data.set10('WLR_HAS_SYSTEMD', false)
|
||||||
conf_data.set10('WLR_HAS_ELOGIND', false)
|
conf_data.set10('WLR_HAS_ELOGIND', false)
|
||||||
conf_data.set10('WLR_HAS_X11_BACKEND', false)
|
conf_data.set10('WLR_HAS_X11_BACKEND', false)
|
||||||
|
@ -170,7 +169,6 @@ wlroots = declare_dependency(
|
||||||
meson.override_dependency('wlroots', wlroots)
|
meson.override_dependency('wlroots', wlroots)
|
||||||
|
|
||||||
summary({
|
summary({
|
||||||
'libcap': conf_data.get('WLR_HAS_LIBCAP', 0),
|
|
||||||
'systemd': conf_data.get('WLR_HAS_SYSTEMD', 0),
|
'systemd': conf_data.get('WLR_HAS_SYSTEMD', 0),
|
||||||
'elogind': conf_data.get('WLR_HAS_ELOGIND', 0),
|
'elogind': conf_data.get('WLR_HAS_ELOGIND', 0),
|
||||||
'xwayland': conf_data.get('WLR_HAS_XWAYLAND', 0),
|
'xwayland': conf_data.get('WLR_HAS_XWAYLAND', 0),
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
option('libcap', type: 'feature', value: 'auto', description: 'Enable support for rootless session via capabilities (cap_sys_admin)')
|
|
||||||
option('logind', type: 'feature', value: 'auto', description: 'Enable support for rootless session via logind')
|
option('logind', type: 'feature', value: 'auto', description: 'Enable support for rootless session via logind')
|
||||||
option('logind-provider', type: 'combo', choices: ['auto', 'systemd', 'elogind'], value: 'auto', description: 'Provider of logind support library')
|
option('logind-provider', type: 'combo', choices: ['auto', 'systemd', 'elogind'], value: 'auto', description: 'Provider of logind support library')
|
||||||
option('xcb-errors', type: 'feature', value: 'auto', description: 'Use xcb-errors util library')
|
option('xcb-errors', type: 'feature', value: 'auto', description: 'Use xcb-errors util library')
|
||||||
|
|
Loading…
Reference in New Issue