odhcp6c,odhcpd:

	- drop capabilities before starting using capsh

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 20 insertions, 0 deletions

diff --git a/package/network/ipv6/odhcp6c/Makefile b/package/network/ipv6/odhcp6c/Makefile
index 894f388945..6a6f9c16e0 100644
--- a/package/network/ipv6/odhcp6c/Makefile
+++ b/package/network/ipv6/odhcp6c/Makefile
@@ -40,6 +40,12 @@ define Package/odhcp6c/config
     int "CER-ID Extension ID (0 = disabled)"
     depends on PACKAGE_odhcp6c
     default 0
+
+  config PACKAGE_odhcp6c_capsh
+    bool
+    default 0
+    select CONFIG_PACKAGE_libcap-bin
+    prompt "Use capsh to drop capabilities"
 endef
 
 define Package/odhcp6c/conffiles
@@ -52,6 +58,11 @@ define Package/odhcp6c/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/odhcp6c $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/lib/netifd/proto
 	$(INSTALL_BIN) ./files/dhcpv6.sh $(1)/lib/netifd/proto/dhcpv6.sh
+ifneq ($(CONFIG_PACKAGE_odhcp6c_capsh),)
+	sed -i 's|^\s*proto_run_command "$$$$config" odhcp6c.*$$$$|\tlocal DROP_CAPS="cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+epi"\n\tproto_run_command "$$$$config" \\\n\t\t/usr/sbin/capsh --drop="$$$${DROP_CAPS}" -- -c \\\n\t\t"exec odhcp6c -s /lib/netifd/dhcpv6.script $$$$opts $$$$iface"|' $(1)/lib/netifd/proto/dhcpv6.sh
+	sed -i 's|^\s*-s /lib/netifd/dhcpv6.script \\$$$$||' $(1)/lib/netifd/proto/dhcpv6.sh
+	sed -i 's|^\s*$$$$opts $$$$iface$$$$||' $(1)/lib/netifd/proto/dhcpv6.sh
+endif
 	$(INSTALL_BIN) ./files/dhcpv6.script $(1)/lib/netifd/
 	$(INSTALL_DIR) $(1)/etc/odhcp6c.user.d/
 	$(INSTALL_CONF) ./files/odhcp6c.user $(1)/etc/
diff --git a/package/network/services/odhcpd/Makefile b/package/network/services/odhcpd/Makefile
index 4092588353..ce0f063708 100644
--- a/package/network/services/odhcpd/Makefile
+++ b/package/network/services/odhcpd/Makefile
@@ -46,6 +46,12 @@ config PACKAGE_odhcpd_$(2)_ext_cer_id
 	int
 	default 0
 	prompt "CER-ID Extension ID (0 = disabled)"
+
+config PACKAGE_odhcpd_$(2)_capsh
+	bool
+	default 0
+	select CONFIG_PACKAGE_libcap-bin
+	prompt "Use capsh to drop capabilities"
 endmenu
 endef
 
@@ -98,6 +104,9 @@ define Package/odhcpd/install
 	$(INSTALL_BIN) ./files/odhcpd-update $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/odhcpd.init $(1)/etc/init.d/odhcpd
+ifneq ($(CONFIG_PACKAGE_odhcpd_$(BUILD_VARIANT)_capsh),)
+	sed -i 's|^\s*procd_set_param command /usr/sbin/odhcpd.*$$$$|\tlocal DROP_CAPS="cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+epi"\n\tprocd_set_param command /usr/sbin/capsh --drop="$$$${DROP_CAPS}" -- -c "exec /usr/sbin/odhcpd -l5"|' $(1)/etc/init.d/odhcpd
+endif
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/odhcpd.defaults $(1)/etc/uci-defaults/15_odhcpd
 endef