diff options
-rw-r--r-- | src/core/capsicum.c | 51 | ||||
-rw-r--r-- | src/core/capsicum.h | 1 | ||||
-rw-r--r-- | src/core/log.c | 7 | ||||
-rw-r--r-- | src/core/rawlog.c | 9 | ||||
-rw-r--r-- | src/fe-common/core/fe-log.c | 10 |
5 files changed, 73 insertions, 5 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c index 6667276c..c554fcf7 100644 --- a/src/core/capsicum.c +++ b/src/core/capsicum.c @@ -136,19 +136,62 @@ int capsicum_open(const char *path, int flags, int mode) { int fd; - /* +1 is for slash separating irclogs_path and the rest. */ - if (strlen(path) > irclogs_path_len + 1 && strncmp(path, irclogs_path, irclogs_path_len) == 0) { - fd = openat(irclogs_fd, path + irclogs_path_len + 1, flags, mode); + /* +1 is for the slash separating irclogs_path and the rest. */ + if (strlen(path) > irclogs_path_len + 1 && + strncmp(path, irclogs_path, irclogs_path_len) == 0) { + fd = openat(irclogs_fd, path + irclogs_path_len + 1, + flags, mode); } else { fd = open(path, flags, mode); } if (fd < 0 && (errno == ENOTCAPABLE || errno == ECAPMODE)) - g_warning("File system access restricted to %s due to capability mode", irclogs_path); + g_warning("File system access restricted to %s " + "due to capability mode", irclogs_path); return (fd); } +void capsicum_mkdir_with_parents(const char *path, int mode) +{ + char *component, *copy, *tofree; + int error, fd, newfd; + + /* +1 is for the slash separating irclogs_path and the rest. */ + if (strlen(path) <= irclogs_path_len + 1 || + strncmp(path, irclogs_path, irclogs_path_len) != 0) { + g_warning("Cannot create %s: file system access restricted " + "to %s due to capability mode", path, irclogs_path); + return; + } + + copy = tofree = g_strdup(path + irclogs_path_len + 1); + fd = irclogs_fd; + for (;;) { + component = strsep(©, "/"); + if (component == NULL) + break; + error = mkdirat(fd, component, mode); + if (error != 0 && errno != EEXIST) { + g_warning("cannot create %s: %s", + component, strerror(errno)); + break; + } + newfd = openat(fd, component, O_DIRECTORY); + if (newfd < 0) { + g_warning("cannot open %s: %s", + component, strerror(errno)); + break; + } + if (fd != irclogs_fd) + close(fd); + fd = newfd; + } + g_free(tofree); + if (fd != irclogs_fd) + close(fd); +} + nvlist_t *symbiont_connect(const nvlist_t *request) { nvlist_t *response; diff --git a/src/core/capsicum.h b/src/core/capsicum.h index ca35fd05..1eb56402 100644 --- a/src/core/capsicum.h +++ b/src/core/capsicum.h @@ -5,6 +5,7 @@ gboolean capsicum_enabled(void); int capsicum_net_connect_ip(IPADDR *ip, int port, IPADDR *my_ip); int capsicum_net_gethostbyname(const char *addr, IPADDR *ip4, IPADDR *ip6); int capsicum_open(const char *path, int flags, int mode); +void capsicum_mkdir_with_parents(const char *path, int mode); void capsicum_init(void); void capsicum_deinit(void); diff --git a/src/core/log.c b/src/core/log.c index 00686bee..9394263f 100644 --- a/src/core/log.c +++ b/src/core/log.c @@ -127,7 +127,14 @@ int log_start_logging(LOG_REC *log) /* path may contain variables (%time, $vars), make sure the directory is created */ dir = g_path_get_dirname(log->real_fname); +#ifdef HAVE_CAPSICUM + if (capsicum_enabled()) + capsicum_mkdir_with_parents(dir, log_dir_create_mode); + else + g_mkdir_with_parents(dir, log_dir_create_mode); +#else g_mkdir_with_parents(dir, log_dir_create_mode); +#endif g_free(dir); } diff --git a/src/core/rawlog.c b/src/core/rawlog.c index 5df02981..dd86af7c 100644 --- a/src/core/rawlog.c +++ b/src/core/rawlog.c @@ -167,7 +167,14 @@ void rawlog_save(RAWLOG_REC *rawlog, const char *fname) int f; dir = g_path_get_dirname(fname); - g_mkdir_with_parents(dir, log_dir_create_mode); +#ifdef HAVE_CAPSICUM + if (capsicum_enabled()) + capsicum_mkdir_with_parents(dir, log_dir_create_mode); + else + g_mkdir_with_parents(dir, log_dir_create_mode); +#else + g_mkdir_with_parents(dir, log_dir_create_mode); +#endif g_free(dir); path = convert_home(fname); diff --git a/src/fe-common/core/fe-log.c b/src/fe-common/core/fe-log.c index 37b29990..deb70991 100644 --- a/src/fe-common/core/fe-log.c +++ b/src/fe-common/core/fe-log.c @@ -30,6 +30,9 @@ #include "special-vars.h" #include "settings.h" #include "lib-config/iconfig.h" +#ifdef HAVE_CAPSICUM +#include "capsicum.h" +#endif #include "fe-windows.h" #include "window-items.h" @@ -451,7 +454,14 @@ static void autolog_open(SERVER_REC *server, const char *server_tag, log_item_add(log, LOG_ITEM_TARGET, target, server_tag); dir = g_path_get_dirname(log->real_fname); +#ifdef HAVE_CAPSICUM + if (capsicum_enabled()) + capsicum_mkdir_with_parents(dir, log_dir_create_mode); + else + g_mkdir_with_parents(dir, log_dir_create_mode); +#else g_mkdir_with_parents(dir, log_dir_create_mode); +#endif g_free(dir); log->temp = TRUE; |