odhcp6c,odhcpd:

	- drop capabilities before starting using capsh

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/package/network/ipv6/odhcp6c/Makefile b/package/network/ipv6/odhcp6c/Makefile
index 3456061177..5332770ec4 100644
--- a/package/network/ipv6/odhcp6c/Makefile
+++ b/package/network/ipv6/odhcp6c/Makefile
@@ -40,6 +40,12 @@ define Package/odhcp6c/config
     int "CER-ID Extension ID (0 = disabled)"
     depends on PACKAGE_odhcp6c
     default 0
+
+  config PACKAGE_odhcp6c_capsh
+    bool
+    default 0
+    select CONFIG_PACKAGE_libcap-bin
+    prompt "Use capsh to drop capabilities"
 endef
 
 define Package/odhcp6c/install
@@ -47,6 +53,11 @@ define Package/odhcp6c/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/odhcp6c $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/lib/netifd/proto
 	$(INSTALL_BIN) ./files/dhcpv6.sh $(1)/lib/netifd/proto/dhcpv6.sh
+ifneq ($(CONFIG_PACKAGE_odhcp6c_capsh),)
+	sed -i 's|^\s*proto_run_command "$$$$config" odhcp6c.*$$$$|\tlocal DROP_CAPS="cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+epi"\n\tproto_run_command "$$$$config" \\\n\t\t/usr/sbin/capsh --drop="$$$${DROP_CAPS}" -- -c \\\n\t\t"exec odhcp6c -s /lib/netifd/dhcpv6.script $$$$opts $$$$iface"|' $(1)/lib/netifd/proto/dhcpv6.sh
+	sed -i 's|^\s*-s /lib/netifd/dhcpv6.script \\$$$$||' $(1)/lib/netifd/proto/dhcpv6.sh
+	sed -i 's|^\s*$$$$opts $$$$iface$$$$||' $(1)/lib/netifd/proto/dhcpv6.sh
+endif
 	$(INSTALL_BIN) ./files/dhcpv6.script $(1)/lib/netifd/
 endef