39 #ifdef HAVE_SYS_PRCTL_H
40 #include <sys/prctl.h>
60 capng_clear(CAPNG_SELECT_BOTH);
65 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
72 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
73 CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
78 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
85 if (capng_change_id(userid, groupid, CAPNG_DROP_SUPP_GRP |
86 CAPNG_CLEAR_BOUNDING) < 0)
92 SCLogInfo(
"dropped the caps for main thread");
98 capng_clear(CAPNG_SELECT_BOTH);
99 capng_apply(CAPNG_SELECT_BOTH);
101 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_IPC_LOCK);
102 capng_apply(CAPNG_SELECT_CAPS);
106 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_ADMIN);
107 capng_apply(CAPNG_SELECT_CAPS);
111 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BIND_SERVICE);
112 capng_apply(CAPNG_SELECT_CAPS);
113 SCLogDebug(
"For thread \"%s\" CAP_NET_BIND_SERVICE has been set",
tv->
name);
116 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_BROADCAST);
117 capng_apply(CAPNG_SELECT_CAPS);
121 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_NET_RAW);
122 capng_apply(CAPNG_SELECT_CAPS);
126 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_ADMIN);
127 capng_apply(CAPNG_SELECT_CAPS);
131 capng_update(CAPNG_ADD, (capng_type_t) (CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_RAWIO);
132 capng_apply(CAPNG_SELECT_CAPS);
149 int SCGetUserID(
const char *user_name,
const char *group_name, uint32_t *uid, uint32_t *gid)
152 uint32_t groupid = 0;
156 if (isdigit((
unsigned char)user_name[0]) != 0) {
160 pw = getpwuid(userid);
163 "check if user exist!!");
166 pw = getpwnam(user_name);
169 "check if user exist!!");
175 if (group_name != NULL) {
178 if (isdigit((
unsigned char)group_name[0]) != 0) {
183 gp = getgrnam(group_name);
186 " ID, check if group exist!!");
188 groupid = gp->gr_gid;
191 groupid = pw->pw_gid;
219 if (isdigit((
unsigned char)group_name[0]) != 0) {
224 gp = getgrnam(group_name);
227 " check if group exist!!");
243 int ret = pledge(
"stdio rpath wpath cpath fattr unix dns bpf", NULL);
247 " check permissions!! ret=%i errno=%i", ret, errno);