diff options
| author | VG <vg@devys.org> | 2016-03-08 17:10:44 +0100 |
|---|---|---|
| committer | VG <vg@devys.org> | 2016-03-08 17:10:44 +0100 |
| commit | 520a0889fcc8dda79c682c168cf84ff24bedf216 (patch) | |
| tree | ba2a75b909631b7dd39841f79a574ff07f0c86b9 | |
| parent | b3406fe7469ec1511d08d6d4c7461a3714247de9 (diff) | |
| download | runwithcaps-520a0889fcc8dda79c682c168cf84ff24bedf216.tar.gz runwithcaps-520a0889fcc8dda79c682c168cf84ff24bedf216.tar.bz2 runwithcaps-520a0889fcc8dda79c682c168cf84ff24bedf216.zip | |
cosmetic changes
| -rwxr-xr-x | run_with_inherited_caps.py | 12 | ||||
| -rwxr-xr-x | run_with_only_cap_net_bind_service.py | 14 |
2 files changed, 16 insertions, 10 deletions
diff --git a/run_with_inherited_caps.py b/run_with_inherited_caps.py index 063860c..87eef9d 100755 --- a/run_with_inherited_caps.py +++ b/run_with_inherited_caps.py @@ -41,7 +41,8 @@ CAP_CLEAR = 0 CAP_SET = 1 # generated list with command line below: -# sed -n 's/^#define \(CAP_.*\)\s\+\([0-9]\+\).*$/\1 = \2/p' /usr/include/linux/capability.h +# sed -n 's/^#define \(CAP_.*\)\s\+\([0-9]\+\).*$/\1 = \2/p' \ +# /usr/include/linux/capability.h CAP_CHOWN = 0 CAP_DAC_OVERRIDE = 1 CAP_DAC_READ_SEARCH = 2 @@ -96,9 +97,12 @@ ccap_values_temp = ffi.new('cap_value_t[]', cap_values_temp) print('len cap_values:', len(cap_values)) caps = libcap.cap_init() -libcap.cap_set_flag(caps, CAP_INHERITABLE, len(cap_values), ccap_values, CAP_SET) -libcap.cap_set_flag(caps, CAP_PERMITTED, len(cap_values_temp), ccap_values_temp, CAP_SET) -libcap.cap_set_flag(caps, CAP_EFFECTIVE, len(cap_values_temp), ccap_values_temp, CAP_SET) +libcap.cap_set_flag(caps, CAP_INHERITABLE, + len(cap_values), ccap_values, CAP_SET) +libcap.cap_set_flag(caps, CAP_PERMITTED, + len(cap_values_temp), ccap_values_temp, CAP_SET) +libcap.cap_set_flag(caps, CAP_EFFECTIVE, + len(cap_values_temp), ccap_values_temp, CAP_SET) libcap.cap_set_proc(caps) libcap.cap_free(caps) diff --git a/run_with_only_cap_net_bind_service.py b/run_with_only_cap_net_bind_service.py index d5b88a6..99ae8ff 100755 --- a/run_with_only_cap_net_bind_service.py +++ b/run_with_only_cap_net_bind_service.py @@ -15,7 +15,6 @@ ffi = cffi.FFI() libc = ffi.dlopen('libc.so.6') libcap = ffi.dlopen('libcap.so.2') -#libc.printf(ctypes.c_char_p(b"test\n")) ffi.cdef(''' typedef struct _cap_struct *cap_t; @@ -50,7 +49,8 @@ CAP_CLEAR = 0 CAP_SET = 1 # generated list with command line below: -# sed -n 's/^#define \(CAP_.*\)\s\+\([0-9]\+\).*$/\1 = \2/p' /usr/include/linux/capability.h +# sed -n 's/^#define \(CAP_.*\)\s\+\([0-9]\+\).*$/\1 = \2/p' \ +# /usr/include/linux/capability.h CAP_CHOWN = 0 CAP_DAC_OVERRIDE = 1 CAP_DAC_READ_SEARCH = 2 @@ -103,9 +103,12 @@ ccap_values_temp = ffi.new('cap_value_t[]', cap_values_temp) #caps = libcap.cap_get_proc() caps = libcap.cap_init() print('len cap_values:', len(cap_values)) -libcap.cap_set_flag(caps, CAP_PERMITTED, len(cap_values), ccap_values, CAP_SET) -libcap.cap_set_flag(caps, CAP_PERMITTED, len(cap_values_temp), ccap_values_temp, CAP_SET) -libcap.cap_set_flag(caps, CAP_EFFECTIVE, len(cap_values_temp), ccap_values_temp, CAP_SET) +libcap.cap_set_flag(caps, CAP_PERMITTED, + len(cap_values), ccap_values, CAP_SET) +libcap.cap_set_flag(caps, CAP_PERMITTED, + len(cap_values_temp), ccap_values_temp, CAP_SET) +libcap.cap_set_flag(caps, CAP_EFFECTIVE, + len(cap_values_temp), ccap_values_temp, CAP_SET) libcap.cap_set_proc(caps) libcap.cap_free(caps) @@ -113,7 +116,6 @@ print("after dropping caps") os.system("cat /proc/{}/status | grep Cap".format(pid)) print('result:', libc.prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) -#print('result:', libc.prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0)) os.setgroups(os.getgrouplist(pwd.getpwuid(uid)[0], gid)) os.setgid(gid) |