extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-08 22:58:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Read capabilities file before the .conf file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-27 11:26:26 -07:00
parent 377e2037ca
commit be81ace811
1 changed files with 55 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
Shorewall/Perl/Shorewall/Config.pm
View File

@ -5031,56 +5031,41 @@ sub read_capabilities() {
} }
# #
# Get the system's capabilities, either by probing or by reading a capabilities file # Get the system's capabilities by probing
# #
sub get_capabilities( $ ) sub get_capabilities($)
{ {
my $export = $_[0]; $iptables = $config{$toolNAME};
if ( ! $export && $> == 0 ) { # $> == $EUID if ( $iptables ) {
$iptables = $config{$toolNAME}; fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
if ( $iptables ) {
fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
} else {
fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
}
#
# Determine if iptables supports the -w option
#
$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
my $iptables_restore=$iptables . '-restore';
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
$tc = $config{TC} || which 'tc';
if ( $tc ) {
fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
}
$ip = $config{IP} || which 'ip';
if ( $ip ) {
fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
}
load_kernel_modules;
if ( open_file 'capabilities' ) {
read_capabilities;
} else {
determine_capabilities;
}
} else { } else {
unless ( open_file 'capabilities' ) { fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
fatal_error "The -e compiler option requires a capabilities file" if $export;
fatal_error "Compiling under non-root uid requires a capabilities file";
}
read_capabilities;
} }
#
# Determine if iptables supports the -w option
#
$iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
my $iptables_restore=$iptables . '-restore';
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
$tc = $config{TC} || which 'tc';
if ( $tc ) {
fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
}
$ip = $config{IP} || which 'ip';
if ( $ip ) {
fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
}
load_kernel_modules;
determine_capabilities unless $_[0];
} }
# #
@ -5401,6 +5386,28 @@ sub get_configuration( $$$$$ ) {
$ENV{PATH} = $default_path; $ENV{PATH} = $default_path;
} }
my $have_capabilities;
if ( $export || $> != 0 ) {
#
# Compiling for export or user not root -- must use a capabilties file
# We read it before processing the .conf file so that 'update' has
# the capabilities.
#
unless ( open_file 'capabilities' ) {
fatal_error "The -e compiler option requires a capabilities file" if $export;
fatal_error "Compiling under non-root uid requires a capabilities file";
}
read_capabilities;
$have_capabilities = 1;
} elsif ( open_file 'capabilities' ) {
read_capabilities;
$have_capabilities = 1;
}
get_params( $export ); get_params( $export );
process_shorewall_conf( $update, $annotate, $directives ); process_shorewall_conf( $update, $annotate, $directives );
@ -5417,7 +5424,9 @@ sub get_configuration( $$$$$ ) {
default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz'; default 'MODULE_PREFIX', 'ko ko.gz o o.gz gz';
default_yes_no 'LOAD_HELPERS_ONLY' , 'Yes'; default_yes_no 'LOAD_HELPERS_ONLY' , 'Yes';
get_capabilities( $export ); if ( ! $export && $> == 0 ) {
get_capabilities($have_capabilities);
}
my ( $val, $all ); my ( $val, $all );