CernVM-FS  2.13.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
repository_env.cc
Go to the documentation of this file.
1 
6 #include <sys/capability.h>
7 #include <sys/prctl.h>
8 #include <unistd.h>
9 
10 #include "publish/except.h"
11 #include "repository.h"
12 #include "util/posix.h"
13 
14 namespace publish {
15 
16 void Env::DropCapabilities() {
17  int retval;
18 
19  // Because the process has file capabilities, its dumpable state is set to
20  // false, which in turn makes the /proc/self/... files owned by root. We
21  // need to reset this to have them owned by the effective UID in order to
22  // set, e.g., uid_map/gid_map of user namespaces.
23  retval = prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
24  if (retval != 0)
25  throw EPublish("cannot clear dumpable state");
26 
27  cap_t caps = cap_get_proc();
28  retval = cap_clear(caps);
29  cap_free(caps);
30  if (retval != 0)
31  throw EPublish("cannot clear process capabilities");
32 }
33 
34 
35 std::string Env::GetEnterSessionDir() {
36  if (SymlinkExists("/.cvmfsenter"))
37  return ResolvePath("/.cvmfsenter");
38  return "";
39 }
40 
41 } // namespace publish
SymlinkExists
bool SymlinkExists(const std::string &path)
Definition: posix.cc:833
prctl
int prctl(int, uint64_t, uint64_t, uint64_t, uint64_t)
Definition: platform_osx.h:316
PR_SET_DUMPABLE
#define PR_SET_DUMPABLE
Definition: platform_osx.h:317
cvmfs_suid::ResolvePath
string ResolvePath(const std::string &path)
Definition: cvmfs_suid_util.cc:68