#ifndef RESTRICT_ACCESS_H
#define RESTRICT_ACCESS_H
enum restrict_access_flags {
/* If flags given to restrict_access() include
* RESTRICT_ACCESS_FLAG_ALLOW_ROOT, we won't kill
* ourself when we have root privileges. */
};
struct restrict_access_settings {
/* UID to use, or (uid_t)-1 if you don't want to change it */
/* Effective GID to use, or (gid_t)-1 if you don't want to change it */
/* If not (gid_t)-1, the privileged GID can be temporarily
/* Add access to these space or comma -separated extra groups */
const char *extra_groups;
/* Add access to groups this system user belongs to */
const char *system_groups_user;
/* All specified GIDs must be in this range. If extra_groups or system
group user contains other GIDs, they're silently dropped. */
/* Human readable "source" of UID and GID values. If non-NULL,
/* Chroot directory */
const char *chroot_dir;
/* Allow running in setuid-root mode, where real UID is root and
* effective UID is non-root. By default the real UID is changed
* to be the same as the effective UID. */
bool allow_setuid_root;
};
/* Initialize settings with values that don't change anything. */
/* Restrict access as specified by the settings. If home is not NULL,
it's chdir()ed after chrooting, otherwise it chdirs to / (the chroot). */
ATTR_NULL(3);
/* Set environment variables so they can be read with
restrict_access_by_env(). */
/* Read restrict_access_set_env() environments back into struct. */
/* Read restrictions from environment and call restrict_access().
If flags do not include RESTRICT_ACCESS_FLAG_ALLOW_ROOT, we'll kill ourself
unless the RESTRICT_* environments caused root privileges to be dropped */
/* Return the chrooted directory if restrict_access*() chrooted,
otherwise NULL. */
const char *restrict_access_get_current_chroot(void);
/*
Checks if PR_SET_DUMPABLE environment variable is set, and if it is,
calls restrict_access_set_dumpable(allow).
*/
void restrict_access_allow_coredumps(bool allow);
/* Sets process dumpable true or false. Setting this true allows core dumping,
ownership of /proc/[pid] directory. */
void restrict_access_set_dumpable(bool allow);
/* Gets process dumpability, returns TRUE if not supported, because
we then assume that constraint is not present. */
bool restrict_access_get_dumpable(void);
/* If privileged_gid was set, these functions can be used to temporarily
gain access to the group. */
int restrict_access_use_priv_gid(void);
void restrict_access_drop_priv_gid(void);
/* Returns TRUE if privileged GID exists for this process. */
bool restrict_access_have_priv_gid(void);
#endif