diff options
Diffstat (limited to '')
| -rw-r--r-- | util/secmem.c | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/util/secmem.c b/util/secmem.c index 8f7c428e4..35a265408 100644 --- a/util/secmem.c +++ b/util/secmem.c @@ -29,6 +29,9 @@ #include <sys/mman.h> #include <sys/types.h> #include <fcntl.h> + #ifdef USE_CAPABILITIES + #include <sys/capability.h> + #endif #endif #include "types.h" @@ -80,7 +83,26 @@ print_warn(void) static void lock_pool( void *p, size_t n ) { - #ifdef HAVE_MLOCK + #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK) + int err; + + cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); + err = mlock( p, n ); + if( err && errno ) + err = errno; + cap_set_proc( cap_from_text("cap_ipc_lock+p") ); + + if( err ) { + if( errno != EPERM + #ifdef EAGAIN /* OpenBSD returns this */ + && errno != EAGAIN + #endif + ) + log_error("can�t lock memory: %s\n", strerror(err)); + show_warning = 1; + } + + #elif defined(HAVE_MLOCK) uid_t uid; int err; @@ -216,7 +238,11 @@ void secmem_init( size_t n ) { if( !n ) { - #ifndef HAVE_DOSISH_SYSTEM + #ifdef USE_CAPABILITIES + /* drop all capabilities */ + cap_set_proc( cap_from_text("all-eip") ); + + #elif !defined(HAVE_DOSISH_SYSTEM) uid_t uid; disable_secmem=1; |