haproxy/include/haproxy/linuxcap.h

#ifndef _HAPROXY_LINUXCAP_H
#define _HAPROXY_LINUXCAP_H
#include <syscall.h>
#include <linux/capability.h>

#define CAPS_TO_ULLONG(low, high)    (((ullong)high << 32) | (ullong)low)

/* for haproxy process itself, allocate this 8 byte-size struct only once in
 * .data and makes it accessible from other compile-units, because we always
 * fill it with the same values and because we could use it to collect
 * capabilities for post_mortem debug info.
 */
extern struct __user_cap_header_struct cap_hdr_haproxy;

/* provided by sys/capability.h on some distros, declared here, as could be used
 * in debug.c, in order to collect info about process capabilities before
 * applying its configuration and at runtime.
 */
static inline int capget(cap_user_header_t hdrp, const cap_user_data_t datap)
{
	return syscall(SYS_capget, hdrp, datap);
}
int prepare_caps_for_setuid(int from_uid, int to_uid);
int finalize_caps_after_setuid(int from_uid, int to_uid);
int prepare_caps_from_permitted_set(int from_uid, int to_uid);

#endif /* _HAPROXY_LINUXCAP_H */
MEDIUM: capabilities: enable support for Linux capabilities For a while there has been the constraint of having to run as root for transparent proxying, and we're starting to see some cases where QUIC is not running in socket-per-connection mode due to the missing capability that would be needed to bind a privileged port. It's not realistic to ask all QUIC users on port 443 to run as root, so instead let's provide a basic support for capabilities at least on linux. The ones currently supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The mechanism was made OS-specific with a dedicated file because it really is. It can be easily refined later for other OSes if needed. A new keyword "setcaps" is added to the global section, to enumerate the capabilities that must be kept when switching from root to non-root. This is ignored in other situations though. HAProxy has to be built with USE_LINUX_CAP=1 for this to be supported, which is enabled by default for linux-glibc, linux-glibc-legacy and linux-musl. A good way to test this is to start haproxy with such a config: global uid 1000 setcap cap_net_bind_service frontend test mode http timeout client 3s bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt and run it under "sudo strace -e trace=bind,setuid", then connecting there from an H3 client. The bind() syscall must succeed despite the user id having been switched. 2023-08-29 04:24:26 -04:00			`#ifndef _HAPROXY_LINUXCAP_H`
			`#define _HAPROXY_LINUXCAP_H`
MINOR: capabilities: export capget and __user_cap_header_struct To be able to show process capabilities before applying its configuration and also at runtime in 'show dev' command output, we need to export the wrapper around capget() syscall. It also seems more handy to place __user_cap_header_struct in .data section and declare it as globally accessible, as we always fill it with the same values. This avoids allocate and fill these 8 bytes each time on the stack frame, when capget() or capset() wrappers are called. 2024-05-31 12:01:07 -04:00			`#include <syscall.h>`
			`#include <linux/capability.h>`
MEDIUM: capabilities: enable support for Linux capabilities For a while there has been the constraint of having to run as root for transparent proxying, and we're starting to see some cases where QUIC is not running in socket-per-connection mode due to the missing capability that would be needed to bind a privileged port. It's not realistic to ask all QUIC users on port 443 to run as root, so instead let's provide a basic support for capabilities at least on linux. The ones currently supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The mechanism was made OS-specific with a dedicated file because it really is. It can be easily refined later for other OSes if needed. A new keyword "setcaps" is added to the global section, to enumerate the capabilities that must be kept when switching from root to non-root. This is ignored in other situations though. HAProxy has to be built with USE_LINUX_CAP=1 for this to be supported, which is enabled by default for linux-glibc, linux-glibc-legacy and linux-musl. A good way to test this is to start haproxy with such a config: global uid 1000 setcap cap_net_bind_service frontend test mode http timeout client 3s bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt and run it under "sudo strace -e trace=bind,setuid", then connecting there from an H3 client. The bind() syscall must succeed despite the user id having been switched. 2023-08-29 04:24:26 -04:00
MINOR: cli/debug: show dev: show capabilities If haproxy compiled with Linux capabilities support, let's show process capabilities before applying the configuration and at runtime in 'show dev' command output. This maybe useful for debugging purposes. Especially in cases, when process changes its UID and GID to non-priviledged or it has started and run under non-priviledged UID and needed capabilities are set by admin on the haproxy binary. 2024-06-21 12:11:46 -04:00			`#define CAPS_TO_ULLONG(low, high) (((ullong)high << 32) \| (ullong)low)`

MINOR: capabilities: export capget and __user_cap_header_struct To be able to show process capabilities before applying its configuration and also at runtime in 'show dev' command output, we need to export the wrapper around capget() syscall. It also seems more handy to place __user_cap_header_struct in .data section and declare it as globally accessible, as we always fill it with the same values. This avoids allocate and fill these 8 bytes each time on the stack frame, when capget() or capset() wrappers are called. 2024-05-31 12:01:07 -04:00			`/* for haproxy process itself, allocate this 8 byte-size struct only once in`
			`* .data and makes it accessible from other compile-units, because we always`
			`* fill it with the same values and because we could use it to collect`
			`* capabilities for post_mortem debug info.`
			`*/`
			`extern struct __user_cap_header_struct cap_hdr_haproxy;`

			`/* provided by sys/capability.h on some distros, declared here, as could be used`
			`* in debug.c, in order to collect info about process capabilities before`
			`* applying its configuration and at runtime.`
			`*/`
			`static inline int capget(cap_user_header_t hdrp, const cap_user_data_t datap)`
			`{`
			`return syscall(SYS_capget, hdrp, datap);`
			`}`
MEDIUM: capabilities: enable support for Linux capabilities For a while there has been the constraint of having to run as root for transparent proxying, and we're starting to see some cases where QUIC is not running in socket-per-connection mode due to the missing capability that would be needed to bind a privileged port. It's not realistic to ask all QUIC users on port 443 to run as root, so instead let's provide a basic support for capabilities at least on linux. The ones currently supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The mechanism was made OS-specific with a dedicated file because it really is. It can be easily refined later for other OSes if needed. A new keyword "setcaps" is added to the global section, to enumerate the capabilities that must be kept when switching from root to non-root. This is ignored in other situations though. HAProxy has to be built with USE_LINUX_CAP=1 for this to be supported, which is enabled by default for linux-glibc, linux-glibc-legacy and linux-musl. A good way to test this is to start haproxy with such a config: global uid 1000 setcap cap_net_bind_service frontend test mode http timeout client 3s bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt and run it under "sudo strace -e trace=bind,setuid", then connecting there from an H3 client. The bind() syscall must succeed despite the user id having been switched. 2023-08-29 04:24:26 -04:00			`int prepare_caps_for_setuid(int from_uid, int to_uid);`
			`int finalize_caps_after_setuid(int from_uid, int to_uid);`
MINOR: startup: use global progname variable Let's store progname in the global variable, as it is handy to use it in different parts of code to format messages sent to stdout. This reduces the number of arguments, which we should pass to some functions. 2024-11-21 11:24:37 -05:00			`int prepare_caps_from_permitted_set(int from_uid, int to_uid);`
MEDIUM: capabilities: enable support for Linux capabilities For a while there has been the constraint of having to run as root for transparent proxying, and we're starting to see some cases where QUIC is not running in socket-per-connection mode due to the missing capability that would be needed to bind a privileged port. It's not realistic to ask all QUIC users on port 443 to run as root, so instead let's provide a basic support for capabilities at least on linux. The ones currently supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The mechanism was made OS-specific with a dedicated file because it really is. It can be easily refined later for other OSes if needed. A new keyword "setcaps" is added to the global section, to enumerate the capabilities that must be kept when switching from root to non-root. This is ignored in other situations though. HAProxy has to be built with USE_LINUX_CAP=1 for this to be supported, which is enabled by default for linux-glibc, linux-glibc-legacy and linux-musl. A good way to test this is to start haproxy with such a config: global uid 1000 setcap cap_net_bind_service frontend test mode http timeout client 3s bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt and run it under "sudo strace -e trace=bind,setuid", then connecting there from an H3 client. The bind() syscall must succeed despite the user id having been switched. 2023-08-29 04:24:26 -04:00
			`#endif /* _HAPROXY_LINUXCAP_H */`