diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-30 12:59:29 -0600 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-30 12:59:29 -0600 |
commit | 128bdac94fe8173845e162c61ddb83cb4b8ed8de (patch) | |
tree | 26980ff6e575f2802a5f31443bc9650affe11328 /nixos/modules/security/wrappers | |
parent | d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4 (diff) | |
download | nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar.gz nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar.bz2 nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar.lz nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar.xz nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.tar.zst nixlib-128bdac94fe8173845e162c61ddb83cb4b8ed8de.zip |
Conditionally logging debug messages based on the WRAPPER_DEBUG env var being set (or not)
Diffstat (limited to 'nixos/modules/security/wrappers')
-rw-r--r-- | nixos/modules/security/wrappers/wrapper.c | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 608bd3a378c7..e6f2605143fe 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -26,6 +26,9 @@ extern char **environ; static char * sourceProg = SOURCE_PROG; static char * wrapperDir = WRAPPER_DIR; +// Wrapper debug variable name +static char * wrapperDebug = "WRAPPER_DEBUG"; + // Update the capabilities of the running process to include the given // capability in the Ambient set. static void set_ambient_cap(cap_value_t cap) @@ -34,7 +37,7 @@ static void set_ambient_cap(cap_value_t cap) if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap)) { - printf("cannot raise the capability into the Inheritable set\n"); + perror("cannot raise the capability into the Inheritable set\n"); exit(1); } @@ -56,7 +59,9 @@ static int make_caps_ambient(const char *selfPath) if(!caps) { - fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...\n"); + if(getenv(wrapperDebug)) + fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything..."); + return 1; } @@ -127,23 +132,27 @@ static int make_caps_ambient(const char *selfPath) cap_value_t capnum; if (cap_from_name(tok, &capnum)) { - fprintf(stderr, "cap_from_name failed, skipping: %s\n", tok); + if(getenv(wrapperDebug)) + fprintf(stderr, "cap_from_name failed, skipping: %s", tok); } else if (capnum == CAP_SETPCAP) { - // Check for the cap_setpcap capability, we set this on the - // wrapper so it can elevate the capabilities to the Ambient - // set but we do not want to propagate it down into the - // wrapped program. - // - // TODO: what happens if that's the behavior you want - // though???? I'm preferring a strict vs. loose policy here. - fprintf(stderr, "cap_setpcap in set, skipping it\n"); + // Check for the cap_setpcap capability, we set this on the + // wrapper so it can elevate the capabilities to the Ambient + // set but we do not want to propagate it down into the + // wrapped program. + // + // TODO: what happens if that's the behavior you want + // though???? I'm preferring a strict vs. loose policy here. + if(getenv(wrapperDebug)) + fprintf(stderr, "cap_setpcap in set, skipping it\n"); } else { - set_ambient_cap(capnum); - printf("raised %s into the Ambient capability set\n", tok); + set_ambient_cap(capnum); + + if(getenv(wrapperDebug)) + fprintf(stderr, "raised %s into the Ambient capability set\n", tok); } } cap_free(capstr); |