From 75ed03c960bf6613d13435499cba0bddc79dc3fd Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 29 Jun 1999 19:50:54 +0000
Subject: See ChangeLog: Tue Jun 29 21:44:25 CEST 1999  Werner Koch

---
 util/ChangeLog |  5 +++++
 util/secmem.c  | 30 ++++++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

(limited to 'util')

diff --git a/util/ChangeLog b/util/ChangeLog
index 3435472c5..35e69fb31 100644
--- a/util/ChangeLog
+++ b/util/ChangeLog
@@ -1,3 +1,8 @@
+Tue Jun 29 21:44:25 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
+
+
+	* secmem.c (USE_CAPABILITIES): Capabilities support (Remi).
+
 Sat Jun 26 12:15:59 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 
 
diff --git a/util/secmem.c b/util/secmem.c
index 8f7c428e4..35a265408 100644
--- a/util/secmem.c
+++ b/util/secmem.c
@@ -29,6 +29,9 @@
   #include <sys/mman.h>
   #include <sys/types.h>
   #include <fcntl.h>
+  #ifdef USE_CAPABILITIES
+    #include <sys/capability.h>
+  #endif
 #endif
 
 #include "types.h"
@@ -80,7 +83,26 @@ print_warn(void)
 static void
 lock_pool( void *p, size_t n )
 {
-  #ifdef HAVE_MLOCK
+  #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
+    int err;
+
+    cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
+    err = mlock( p, n );
+    if( err && errno )
+	err = errno;
+    cap_set_proc( cap_from_text("cap_ipc_lock+p") );
+
+    if( err ) {
+	if( errno != EPERM
+	  #ifdef EAGAIN  /* OpenBSD returns this */
+	    && errno != EAGAIN
+	  #endif
+	  )
+	    log_error("canīt lock memory: %s\n", strerror(err));
+	show_warning = 1;
+    }
+
+  #elif defined(HAVE_MLOCK)
     uid_t uid;
     int err;
 
@@ -216,7 +238,11 @@ void
 secmem_init( size_t n )
 {
     if( !n ) {
-      #ifndef HAVE_DOSISH_SYSTEM
+      #ifdef USE_CAPABILITIES
+	/* drop all capabilities */
+	cap_set_proc( cap_from_text("all-eip") );
+
+      #elif !defined(HAVE_DOSISH_SYSTEM)
 	uid_t uid;
 
 	disable_secmem=1;
-- 
cgit v1.2.3