server: Drop unnecessary caps

Closes #78

Author: bilelmoussaoui

Cargo.lock

@@ -12,9 +12,11 @@ version.workspace = true
 [dependencies]
 ashpd = {workspace = true, features = ["backend", "tracing"]}
 base64 = "0.22"
+caps = "0.4"
 clap.workspace = true
 enumflags2 = "0.7"
 hkdf = { version = "0.12", optional = true }
+nix = { version = "0.24", default-features = false, features = ["user"]}
 num = "0.4.0"
 num-bigint-dig = { version = "0.8", features = ["zeroize"] }
 openssl = { version = "0.10", optional = true }

server/Cargo.toml

@@ -0,0 +1,67 @@
+use caps::{CapSet, Capability, CapsHashSet};
+use nix::unistd::{getgid, getuid, setgid, setgroups, setuid};
+
+#[derive(Debug)]
+pub enum Error {
+    CapsReadError(caps::errors::CapsError),
+    CapsUpdateError(caps::errors::CapsError),
+    DropGroupsError(nix::Error),
+    SetGidError(nix::Error),
+    SetUidError(nix::Error),
+    InsufficientCapabilities,
+    NoCapabilities,
+}
+
+impl std::fmt::Display for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::CapsReadError(e) => write!(f, "Failed to read process capabilities: {}", e),
+            Self::CapsUpdateError(e) => write!(f, "Failed updating process capabilities: {}", e),
+            Self::DropGroupsError(e) => write!(f, "Failed to drop supplementary groups: {}", e),
+            Self::SetGidError(e) => write!(f, "Failed to setgid: {}", e),
+            Self::SetUidError(e) => write!(f, "Failed to setuid: {}", e),
+            Self::InsufficientCapabilities => write!(
+                f,
+                "Insufficient process capabilities, insecure memory might get used"
+            ),
+            Self::NoCapabilities => {
+                write!(f, "No process capabilities, insecure memory might get used")
+            }
+        }
+    }
+}
+
+impl std::error::Error for Error {}
+
+pub fn drop_unnecessary_capabilities() -> Result<(), Error> {
+    // Load current process capabilities
+    let permitted_caps = caps::read(None, CapSet::Permitted).map_err(Error::CapsReadError)?;
+
+    if permitted_caps.contains(&Capability::CAP_IPC_LOCK) {
+        // Check if CAP_SETPCAP is available (needed to drop bounding set and groups)
+        let has_setpcap = caps::has_cap(None, CapSet::Permitted, Capability::CAP_SETPCAP)
+            .map_err(Error::CapsReadError)?;
+
+        let mut drop_caps = CapsHashSet::new();
+        drop_caps.insert(Capability::CAP_IPC_LOCK);
+
+        // Clear other capabilities and apply only CAP_IPC_LOCK
+        caps::set(None, CapSet::Effective, &drop_caps).map_err(Error::CapsUpdateError)?;
+        caps::set(None, CapSet::Permitted, &drop_caps).map_err(Error::CapsUpdateError)?;
+
+        // Drop supplementary groups and switch to real UID/GID.
+        if has_setpcap {
+            setgroups(&[]).map_err(Error::DropGroupsError)?;
+            setgid(getgid()).map_err(Error::SetGidError)?;
+            setuid(getuid()).map_err(Error::SetUidError)?;
+        } else {
+            return Err(Error::InsufficientCapabilities);
+        }
+    } else if permitted_caps.is_empty() {
+        return Err(Error::NoCapabilities);
+    } else {
+        return Err(Error::InsufficientCapabilities);
+    }
+
+    Ok(())
+}

server/src/capability.rs

@@ -2,6 +2,8 @@ use std::fmt;
 
 use oo7::dbus::ServiceError;
 
+use crate::capability;
+
 #[derive(Debug)]
 pub enum Error {
     // File backend error
@@ -14,6 +16,8 @@ pub enum Error {
     EmptyPassword,
     // Invalid item error
     InvalidItem(oo7::file::InvalidItemError),
+    // Capability error
+    Capability(capability::Error),
 }
 
 impl From<zbus::Error> for Error {
@@ -34,6 +38,12 @@ impl From<std::io::Error> for Error {
     }
 }
 
+impl From<capability::Error> for Error {
+    fn from(err: capability::Error) -> Self {
+        Self::Capability(err)
+    }
+}
+
 impl fmt::Display for Error {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
@@ -42,6 +52,7 @@ impl fmt::Display for Error {
             Self::IO(err) => write!(f, "IO error {err}"),
             Self::EmptyPassword => write!(f, "Login password can't be empty"),
             Self::InvalidItem(err) => write!(f, "Item cannot be decrypted {err}"),
+            Self::Capability(err) => write!(f, "Capability error {err}"),
         }
     }
 }

server/src/error.rs

@@ -1,3 +1,4 @@
+mod capability;
 mod collection;
 mod error;
 #[allow(unused)]
@@ -31,6 +32,8 @@ struct Args {
 #[tokio::main]
 async fn main() -> Result<(), Error> {
     tracing_subscriber::fmt::init();
+    capability::drop_unnecessary_capabilities()?;
+
     let args = Args::parse();
     let mut secret = None;