Merge ebf4e7ee9e into ec5c89a368

src/osflags: fully fix cross-compilation

.github/workflows/freebsd.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: macos-12
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: make
       uses: vmactions/freebsd-vm@v0
       with:

.github/workflows/macos.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: macos-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: make
       run: make
     - name: install check

.github/workflows/openbsd.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: macos-12
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: make
       uses: vmactions/openbsd-vm@v0
       with:

.github/workflows/ubuntu.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: make
       run: make
     - name: install check
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: nttld/setup-ndk@v1
       with:
         ndk-version: r21e

.github/workflows/windows.yml

@@ -15,7 +15,7 @@ jobs:
         shell: msys2 {0}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: msys2/setup-msys2@v2
       with:
         msystem: MINGW64

src/common.c

@@ -51,13 +51,18 @@
 # include <selinux/selinux.h>
 #endif
 
+#ifdef HAVE_LIBCAPNG
+#include <stdbool.h>
+#include <cap-ng.h>
+#endif
+
 #include "common.h"
 
 /* The raw header used when not using DNS protocol */
 const unsigned char raw_header[RAW_HDR_LEN] = { 0x10, 0xd1, 0x9e, 0x00 };
 
 /* daemon(3) exists only in 4.4BSD or later, and in GNU libc */
-#if !defined(ANDROID) && !defined(WINDOWS32) && !(defined(BSD) && (BSD >= 199306)) && !defined(__GLIBC__)
+#if !defined(ANDROID) && !defined(WINDOWS32) && !(defined(BSD) && (BSD >= 199306)) && !defined(__GLIBC__) && !defined(__HAIKU__)
 static int daemon(int nochdir, int noclose)
 {
  	int fd, i;
@@ -103,12 +108,60 @@ int setgroups(int count, int *groups)
 
 #ifndef WINDOWS32
 void
-check_superuser(void)
+check_privileges(char *username, int port)
 {
+#if defined HAVE_LIBCAPNG
+	bool capable = true;
+
+	if (capng_get_caps_process() == -1) {
+		warnx("Unable to get capabilities");
+		exit(-1);
+	}
+
+	if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_ADMIN)) {
+		warnx("capabilities: CAP_NET_ADMIN required");
+		capable = false;
+	}
+
+	if (port) {
+		unsigned short int ip_unprivileged_port_start = 1024;
+
+		FILE *file = fopen("/proc/sys/net/ipv4/ip_unprivileged_port_start", "r");
+		if (!file) {
+			warnx("sysctl: unable to get ip_unprivileged_port_start value");
+			// do not bail out here in case systemd.service has ProcSubset=pid set
+		} else {
+			fscanf(file, "%hu", &ip_unprivileged_port_start);
+			fclose(file);
+		}
+
+		if (port < ip_unprivileged_port_start &&
+			!capng_have_capability(CAPNG_EFFECTIVE, CAP_NET_BIND_SERVICE)) {
+			warnx("capabilities: CAP_NET_BIND_SERVICE required");
+			capable = false;
+		}
+	}
+
+	if (username) {
+		if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETUID)) {
+			warnx("capabilities: CAP_SETUID required");
+			capable = false;
+		}
+		if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETGID)) {
+			warnx("capabilities: CAP_SETGID required");
+			capable = false;
+		}
+	}
+
+	if (!capable) {
+		exit(-1);
+	}
+#else
 	if (geteuid() != 0) {
 		warnx("Run as root and you'll be happy.");
 		exit(-1);
 	}
+#endif
 }
 #endif
 

src/common.h

@@ -105,11 +105,11 @@ enum connection {
 };
 
 #ifdef WINDOWS32
-static inline void check_superuser(void)
+static inline void check_privileges(char *, int)
 {
 }
 #else
-void check_superuser(void);
+void check_privileges(char *, int);
 #endif
 char *format_addr(struct sockaddr_storage *sockaddr, int sockaddr_len);
 int get_addr(char *, int, int, int, struct sockaddr_storage *);

src/iodine.c

@@ -279,7 +279,7 @@ int main(int argc, char **argv)
 		}
 	}
 
-	check_superuser();
+	check_privileges(username, 0);
 
 	argc -= optind;
 	argv += optind;

src/iodined.c

@@ -2519,7 +2519,7 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 
-	check_superuser();
+	check_privileges(username, port);
 
 	if (argc != 2)
 		usage();

src/osflags

@@ -13,16 +13,17 @@ link)
 			echo '-lsocket -lbind -lbsd';
 		;;
 		Haiku)
-			echo '-lnetwork';
+			echo '-lnetwork -lbsd';
 		;;
 		windows32)
 			echo '-lws2_32 -liphlpapi';
 		;;
 		Linux)
 			FLAGS="";
-			[ -e /usr/include/selinux/selinux.h ] && FLAGS="$FLAGS -lselinux";
+			"$PKG_CONFIG" --exists libselinux && FLAGS="$FLAGS $($PKG_CONFIG --libs libselinux)";
 			"$PKG_CONFIG" --exists libsystemd-daemon && FLAGS="$FLAGS $($PKG_CONFIG --libs libsystemd-daemon)";
 			"$PKG_CONFIG" --exists libsystemd && FLAGS="$FLAGS $($PKG_CONFIG --libs libsystemd)";
+			"$PKG_CONFIG" --exists libcap-ng && FLAGS="$FLAGS $($PKG_CONFIG --libs libcap-ng)";
 			echo $FLAGS;
 		;;
 	esac
@@ -35,14 +36,18 @@ cflags)
 		BeOS)
 			echo '-Dsocklen_t=int';
 		;;
+		Haiku)
+			echo '-D_DEFAULT_SOURCE';
+		;;
 		Darwin)
 			echo '-D__APPLE_USE_RFC_3542';
 		;;
 		Linux)
 			FLAGS="-D_GNU_SOURCE"
-			[ -e /usr/include/selinux/selinux.h ] && FLAGS="$FLAGS -DHAVE_SETCON";
+			"$PKG_CONFIG" --exists libselinux && FLAGS="$FLAGS -DHAVE_SETCON";
 			"$PKG_CONFIG" --exists libsystemd-daemon && FLAGS="$FLAGS -DHAVE_SYSTEMD";
 			"$PKG_CONFIG" --exists libsystemd && FLAGS="$FLAGS -DHAVE_SYSTEMD";
+			"$PKG_CONFIG" --exists libcap-ng && FLAGS="$FLAGS -DHAVE_LIBCAPNG";
 			echo $FLAGS;
 		;;
 		GNU/kFreeBSD|GNU)