Add capabilities, priority, and oom-score-adjustment support on Linux

.github/workflows/meson_ci.yml

@@ -61,12 +61,12 @@ jobs:
       if: ${{ matrix.arch == 'amd64' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install g++ meson m4 -y
+        DEBIAN_FRONTEND=noninteractive apt-get install g++ meson m4 libcap-dev -y
     - name: Getting depends (i386)
       if: ${{ matrix.arch == 'i386' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install meson m4:i386 g++:i386 -y
+        DEBIAN_FRONTEND=noninteractive apt-get install meson m4:i386 g++:i386 libcap-dev:i386 -y
     - name: Setup
       run: meson setup -Dunit-tests=true -Digr-tests=true dirbuild
     - name: Build
@@ -130,7 +130,7 @@ jobs:
     - name: Getting depends
       run: |
         apk update
-        apk add meson g++ m4
+        apk add meson g++ m4 libcap-dev
     - name: Setup
       run: meson setup -Dunit-tests=true -Digr-tests=true dirbuild
     - name: Build

.github/workflows/regular_ci.yml

@@ -52,12 +52,12 @@ jobs:
       if: ${{ matrix.arch == 'amd64' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install g++ make m4 file -y
+        DEBIAN_FRONTEND=noninteractive apt-get install g++ make m4 libcap-dev file -y
     - name: Getting depends (i386)
       if: ${{ matrix.arch == 'i386' }}
       run: |
         apt-get update
-        DEBIAN_FRONTEND=noninteractive apt-get install gcc:i386 make:i386 m4:i386 g++:i386 file -y
+        DEBIAN_FRONTEND=noninteractive apt-get install gcc:i386 make:i386 m4:i386 g++:i386 libcap-dev:i386 file -y
     - name: Print g++ architecture
       run: g++ -dumpmachine
     - name: Build
@@ -123,7 +123,7 @@ jobs:
     - name: Getting depends
       run: |
         apk update
-        apk add make g++ m4 file
+        apk add make g++ m4 file libcap-dev
     - name: Print g++ architecture
       run: g++ -dumpmachine
     - name: Build

build/Makefile

@@ -15,6 +15,9 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
 		DEFAULT_START_TIMEOUT=$(DEFAULT_START_TIMEOUT) \
 		DEFAULT_STOP_TIMEOUT=$(DEFAULT_STOP_TIMEOUT) \
 		$(if $(SUPPORT_CGROUPS),SUPPORT_CGROUPS=$(SUPPORT_CGROUPS),) \
+		$(if $(SUPPORT_CAPABILITIES),SUPPORT_CAPABILITIES=$(SUPPORT_CAPABILITIES),) \
+		$(if $(SUPPORT_IOPRIO),SUPPORT_IOPRIO=$(SUPPORT_IOPRIO),) \
+		$(if $(SUPPORT_OOM_ADJ),SUPPORT_OOM_ADJ=$(SUPPORT_OOM_ADJ),) \
 		$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
 		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
 

build/mconfig.mesontemplate

@@ -8,6 +8,9 @@
 #mesondefine USE_UTMPX
 #mesondefine USE_INITGROUPS
 #mesondefine SUPPORT_CGROUPS
+#mesondefine SUPPORT_CAPABILITIES
+#mesondefine SUPPORT_IOPRIO
+#mesondefine SUPPORT_OOM_ADJ
 #mesondefine DEFAULT_AUTO_RESTART
 #mesondefine DEFAULT_START_TIMEOUT
 #mesondefine DEFAULT_STOP_TIMEOUT

build/tools/mconfig-gen.cc

@@ -77,6 +77,15 @@ int main(int argc, char **argv)
     if (vars.find("SUPPORT_CGROUPS") != vars.end()) {
         cout << "#define SUPPORT_CGROUPS " << vars["SUPPORT_CGROUPS"] << "\n";
     }
+    if (vars.find("SUPPORT_CAPABILITIES") != vars.end()) {
+        cout << "#define SUPPORT_CAPABILITIES " << vars["SUPPORT_CAPABILITIES"] << "\n";
+    }
+    if (vars.find("SUPPORT_IOPRIO") != vars.end()) {
+        cout << "#define SUPPORT_IOPRIO " << vars["SUPPORT_IOPRIO"] << "\n";
+    }
+    if (vars.find("SUPPORT_OOM_ADJ") != vars.end()) {
+        cout << "#define SUPPORT_OOM_ADJ " << vars["SUPPORT_OOM_ADJ"] << "\n";
+    }
     if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
         cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
     }

configs/mconfig.Linux

@@ -38,6 +38,9 @@ TEST_LDFLAGS=$(TEST_LDFLAGS_BASE) $(TEST_CXXFLAGS)
 # Features.
 
 SUPPORT_CGROUPS=1
+SUPPORT_CAPABILITIES=1
+SUPPORT_IOPRIO=1
+SUPPORT_OOM_ADJ=1
 
 
 # Service defaults.

configs/mconfig.Linux.sh

@@ -111,6 +111,9 @@ FEATURE_SETTINGS=$(
   echo "# Feature settings"
   echo ""
   echo "SUPPORT_CGROUPS=1"
+  echo "SUPPORT_CAPABILITIES=1"
+  echo "SUPPORT_IOPRIO=1"
+  echo "SUPPORT_OOM_ADJ=1"
 )
 
 SERVICE_DEFAULTS=$(

configure

@@ -208,6 +208,9 @@ for var in PREFIX \
            SHUTDOWN_PREFIX \
            BUILD_SHUTDOWN \
            SUPPORT_CGROUPS \
+           SUPPORT_CAPABILITIES \
+           SUPPORT_IOPRIO \
+           SUPPORT_OOM_ADJ \
            USE_UTMPX \
            USE_INITGROUPS \
            SYSCONTROLSOCKET \
@@ -239,6 +242,12 @@ for arg in "$@"; do
         --disable-shutdown|--enable-shutdown=no) BUILD_SHUTDOWN=no ;;
         --enable-cgroups|--enable-cgroups=yes) SUPPORT_CGROUPS=1 ;;
         --disable-cgroups|--enable-cgroups=no) SUPPORT_CGROUPS=0 ;;
+        --enable-capabilities|--enable-capabilities=yes) SUPPORT_CAPABILITIES=1 ;;
+        --disable-capabilities|--enable-capabilities=no) SUPPORT_CAPABILITIES=0 ;;
+        --enable-ioprio|--enable-ioprio=yes) SUPPORT_IOPRIO=1 ;;
+        --disable-ioprio|--enable-ioprio=no) SUPPORT_IOPRIO=0 ;;
+        --enable-oom-adj|--enable-oom-adj=yes) SUPPORT_OOM_ADJ=1 ;;
+        --disable-oom-adj|--enable-oom-adj=no) SUPPORT_OOM_ADJ=0 ;;
         --enable-utmpx|--enable-utmpx=yes) USE_UTMPX=1 ;;
         --disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
         --enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
@@ -278,10 +287,16 @@ done
 if [ "$PLATFORM" = "Linux" ]; then
     : "${BUILD_SHUTDOWN:="yes"}"
     : "${SUPPORT_CGROUPS:="1"}"
+    : "${SUPPORT_CAPABILITIES:="1"}"
+    : "${SUPPORT_IOPRIO:="1"}"
+    : "${SUPPORT_OOM_ADJ:="1"}"
     : "${SYSCONTROLSOCKET:="/run/dinitctl"}"
 else
     : "${BUILD_SHUTDOWN:="no"}"
     : "${SUPPORT_CGROUPS:="0"}"
+    : "${SUPPORT_CAPABILITIES:="0"}"
+    : "${SUPPORT_IOPRIO:="0"}"
+    : "${SUPPORT_OOM_ADJ:="0"}"
     : "${SYSCONTROLSOCKET:="/var/run/dinitctl"}"
 fi
 
@@ -467,6 +482,9 @@ STRIPOPTS=$STRIPOPTS
 # Feature settings
 SUPPORT_CGROUPS=$SUPPORT_CGROUPS
 USE_INITGROUPS=$USE_INITGROUPS
+SUPPORT_CAPABILITIES=$SUPPORT_CAPABILITIES
+SUPPORT_IOPRIO=$SUPPORT_IOPRIO
+SUPPORT_OOM_ADJ=$SUPPORT_OOM_ADJ
 
 # Optional settings
 SHUTDOWN_PREFIX=${SHUTDOWN_PREFIX:-}

doc/manpages/dinit-service.5.m4

@@ -541,6 +541,12 @@ See the \fBRESOURCE LIMITS\fR section.
 Note that some operating systems (notably, OpenBSD) do not support this limit; the
 setting will be ignored on such systems.
 .TP
+\fBnice\fR = \fInice-value\fR
+Specifies the CPU priority of the process.
+When the given value is out of range for the operating system, it will be clamped to
+supported range, but no error will be issued.
+On Linux, this also sets the autogroup priority, assuming procfs is mounted.
+.TP
 \fBrun\-in\-cgroup\fR = \fIcgroup-path\fR
 Run the service process(es) in the specified cgroup (see \fBcgroups\fR(7)).
 The cgroup is specified as a path; if it has a leading slash, the remainder of the path is
@@ -557,6 +563,46 @@ The named cgroup must already exist prior to the service starting; it will not b
 \fBdinit\fR.
 .IP
 This setting is only available if \fBdinit\fR was built with cgroups support.
+.TP
+\fBcapabilities\fR = \fIiab\fR
+.TQ
+\fBcapabilities\fR += \fIiab-addendum\fR
+Run the service process(es) with capabilities specified by \fIiab\fR (see \fBcapabilities\fR(7)).
+The syntax follows the regular capabilities IAB format, with comma-separated capabilities.
+The append form of this setting will add to the previous IAB string, automatically adding
+a comma to the previous string, so you do not need to add it manually.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
+.TP
+\fBsecure\-bits\fR = \fIsecbits\fR
+.TQ
+\fBsecure\-bits\fR += \fIsecbits-addendum\fR
+This is a companion option to \fBcapabilities\fR, specifying the secure bits for the
+process.
+Here, it is a space-separated list of keywords. The allowed keywords are \fIkeep-caps\fR,
+\fIno-setuid-fixup\fR, \fInoroot\fR, and variants of the three with the \fI-locked\fR
+suffix.
+The append form can be used to add more secure bits, with everything being ORed together
+at the end and used as an integer.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
+.TP
+\fBioprio\fR = \fIioprio-value\fR
+Specifies the I/O priority class and value for the process.
+The permitted values are \fInone\fR, \fIidle\fR, \fIrealtime:PRIO\fR, and
+\fIbest-effort:PRIO\fR, where \fIPRIO\fR is an integer value no less than 0
+and no more than 7.
+.IP
+This setting is only available if \fBdinit\fR was built with ioprio support.
+.TP
+\fBoom-score-adj\fR = \fIadj-value\fR
+Specifies the OOM killer score adjustment for the service.
+The value is an integer no less than -1000 and no more than 1000.
+.IP
+This setting is only available if \fBdinit\fR was built with OOM score adjustment support.
+.IP
+This setting requires the proc filesystem to be mounted, and will result in a
+service startup failure if that is not the case.
 .\"
 .SS OPTIONS
 .\"
@@ -685,6 +731,13 @@ is suggested, i.e. every other service should either be a (possibly transitive)
 dependent of the service with this option set.
 .IP
 This option can be used for scripted and internal services only.
+.TP
+\fBno\-new\-privs\fR
+Normally, child processes can gain privileges that their parent did not have, such
+as setuid or setgid and file capabilities. This option can be specified to prevent
+the service from gaining such privileges.
+.IP
+This setting is only available if \fBdinit\fR was built with capabilities support.
 .\"
 .SS RESOURCE LIMITS
 .\"

meson.build

@@ -31,6 +31,9 @@ igr_tests = get_option('igr-tests')
 fuzzer = get_option('fuzzer')
 man_pages = get_option('man-pages')
 support_cgroups = get_option('support-cgroups')
+support_capabilities = get_option('support-capabilities')
+support_ioprio = get_option('support-ioprio')
+support_oom_adj = get_option('support-oom-adj')
 use_utmpx = get_option('use-utmpx')
 use_initgroups = get_option('use-initgroups')
 default_auto_restart = get_option('default-auto-restart')
@@ -56,6 +59,9 @@ if platform == 'freebsd' and compiler.has_link_argument('-lrt')
     add_project_link_arguments('-lrt', language : 'cpp')
 endif
 
+## Dependencies
+libcap_dep = dependency('libcap', required: support_capabilities)
+
 ## Prepare mconfig.h
 mconfig_data.set_quoted('DINIT_VERSION', version)
 mconfig_data.set_quoted('SYSCONTROLSOCKET', dinit_control_socket_path)
@@ -65,9 +71,10 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
-if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
-    mconfig_data.set('SUPPORT_CGROUPS', '1') 
-endif
+mconfig_data.set10('SUPPORT_CGROUPS', support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled())
+mconfig_data.set10('SUPPORT_CAPABILITIES', libcap_dep.found() and not support_capabilities.disabled())
+mconfig_data.set10('SUPPORT_IOPRIO', support_ioprio.auto() and platform == 'linux' or support_ioprio.enabled())
+mconfig_data.set10('SUPPORT_OOM_ADJ', support_oom_adj.auto() and platform == 'linux' or support_oom_adj.enabled())
 if use_utmpx.enabled() or (use_utmpx.auto() and compiler.has_header_symbol('utmpx.h', '_PATH_UTMPX') and
         compiler.has_header_symbol('utmpx.h', '_PATH_WTMPX'))
     mconfig_data.set('USE_UTMPX', '1')

meson_options.txt

@@ -83,7 +83,25 @@ option(
     'support-cgroups',
     type : 'feature',
     value : 'auto',
-    description : 'Enable Cgroups supprot.'
+    description : 'Enable Cgroups support.'
+)
+option(
+    'support-capabilities',
+    type : 'feature',
+    value : 'auto',
+    description : 'Enable capabilities support.'
+)
+option(
+    'support-ioprio',
+    type : 'feature',
+    value : 'auto',
+    description : 'Enable ioprio support.'
+)
+option(
+    'support-oom-adj',
+    type : 'feature',
+    value : 'auto',
+    description : 'Enable OOM score adjustment support.'
 )
 option(
     'build-shutdown',

src/Makefile

@@ -9,6 +9,10 @@ ifeq ($(BUILD_SHUTDOWN),yes)
   SHUTDOWN=$(SHUTDOWN_PREFIX)shutdown
 endif
 
+ifeq ($(SUPPORT_CAPABILITIES),1)
+  ALL_LDFLAGS+=-lcap
+endif
+
 dinit_objects = dinit.o load-service.o service.o proc-service.o baseproc-service.o control.o dinit-log.o \
 		dinit-main.o run-child-proc.o options-processing.o dinit-env.o settings.o
 

src/baseproc-service.cc

@@ -257,9 +257,23 @@ bool base_process_service::start_ps_process(const std::vector<const char *> &cmd
             run_params.env_file = env_file.c_str();
             run_params.output_fd = log_output_fd;
             run_params.input_fd = input_fd;
+            run_params.nice_is_set = nice_is_set;
+            run_params.nice = nice;
             #if SUPPORT_CGROUPS
             run_params.run_in_cgroup = run_in_cgroup.c_str();
             #endif
+            #if SUPPORT_CAPABILITIES
+            run_params.cap_iab = cap_iab.get();
+            run_params.secbits = secbits;
+            run_params.no_new_privs = onstart_flags.no_new_privs;
+            #endif
+            #if SUPPORT_IOPRIO
+            run_params.ioprio = ioprio;
+            #endif
+            #if SUPPORT_OOM_ADJ
+            run_params.oom_adj_is_set = oom_adj_is_set;
+            run_params.oom_adj = oom_adj;
+            #endif
             run_child_proc(run_params);
         }
         else {