On Monday 25 June 2007 14:00, Johan Borkhuis wrote:
> Is there a way to "tweak" the CAP_IPC_LOCK capability of the system or
> the task so that I can run mlockall call, or is there a way to disable
> this check on Xenomai?
See attached source - It needs to be linked to libcap. Once compiled, set
user/group to root along with the sticky flag (chmod a+s).
Regards, Paul.
/********************************************************************
*
* Description: capabilities_demo.c
*
* Based on trivial-periodic.c from Xenomai's examples/native
* directory - Additional material for dropping root privileges
* and communicating with a kernel task subject to the following
* statement:
*
* Author: Paul Corner <[EMAIL PROTECTED]>
* Created on: Thu Mar 29 12:21:00 BST 2007
* License: GPL Ver. 2
*
* Copyright (c) 2007 Paul Corner <[EMAIL PROTECTED]> All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
********************************************************************/
#include "autoconf.h"
#include <stdlib.h>
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
#include <native/task.h>
#include <native/heap.h>
#include <native/timer.h>
#define TASK_PRIO 10
void catch_signal(int sig)
{
}
#if HAVE_LIBCAP
#include <sys/capability.h>
#include <sys/prctl.h>
#endif
void set_security(void)
{
#if HAVE_LIBCAP
cap_t cap;
/* Running as root - No need to drop anything. */
if (getuid() == 0)
return;
/* Do a `chown root` and `chmod a+s` to allow non-root use */
if (geteuid() != 0) {
printf("suid not set - aborting");
exit(-EPERM);
}
/* keep root capabilities in the transition to non-root user */
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
setuid(getuid());
/* drop all privs except CAP_SYS_NICE (for Xenomai), CAP_IPC_LOCK
(for mlockall), and CAP_SYS_RAWIO (for ioperm/iopl) for all
current and future ops - Note: If all IO is done in kernel space,
CAP_SYS_RAWIO can be dropped. */
cap = cap_from_text("CAP_SYS_RAWIO,CAP_IPC_LOCK,CAP_SYS_NICE+ep");
if (errno)
perror("cap_from_text failed");
if (cap_set_proc(cap) < 0) {
perror("Failed to drop root privileges, aborting");
exit(-EPERM);
}
cap_free(cap);
#endif
return;
}
RT_HEAP driver_heap;
int main(int argc, char *argv[])
{
int err = 0;
int t, k, s;
void* mem = NULL;
struct driver_info *info;
struct driver_data *data;
RT_HEAP_INFO heap_info;
signal(SIGTERM, catch_signal);
signal(SIGINT, catch_signal);
set_security();
/* Avoids memory swapping for this program */
mlockall(MCL_CURRENT | MCL_FUTURE);
rt_task_create(&demo_task, "trivial", 0, TASK_PRIO, 0);
rt_task_start(&demo_task, &demo, NULL);
pause();
return err;
}
_______________________________________________
Xenomai-help mailing list
[email protected]
https://mail.gna.org/listinfo/xenomai-help
