Allow setting user for all modules and capabilities per module

When setting system_user="myuser" property under settings in a config file
all modules are started as this user and its default gid.

After starting all modules the manager also switches to this user.

For each module, special Linux capabilities can be specified with e.g.
capabilities: "cap_chown+ep"
in the module section.

The manager will need to start as root or sufficient capabilities to do
that. If no user/capabilities are specified no change happens.

Implementation changes

- using SECBITS_KEEP_CAP in order to keep capabilities, when changing
  real user id
- using ambient capability set, in order to keep capabilities, when
  execve'ing
- changed name from 'system_user' to 'run_as_user'
- changed schema for capabilities in config file from string to array of
  strings
- dropped 'run_as_user' from ModuleStartInfo, could be added back, when
  configuration is possible
- known bugs:
  - incomplete error handling, when setting of capabilities fails
  - manager process doesn't change user yet (otherwise restarting of
    modules won't work), should use effective user id here
  - controller process doesn't get terminated, when forking process
    fails due to permission problems

Signed-off-by: aw <aw@pionix.de>
Signed-off-by: Cornelius Claussen <cc@pionix.de>

CMakeLists.txt

@@ -30,6 +30,13 @@ find_package(Boost
     REQUIRED
 )
 
+find_package(PkgConfig REQUIRED)
+pkg_check_modules(libcap
+    REQUIRED
+    IMPORTED_TARGET
+    libcap
+)
+
 if(NOT DISABLE_EDM)
     evc_setup_edm()
 

include/framework/runtime.hpp

@@ -114,6 +114,8 @@ struct RuntimeSettings {
     std::string telemetry_prefix;
     bool telemetry_enabled;
 
+    std::string run_as_user;
+
     nlohmann::json config;
 
     bool validate_schema;

lib/runtime.cpp

@@ -324,6 +324,7 @@ RuntimeSettings::RuntimeSettings(const std::string& prefix_, const std::string&
     } else {
         validate_schema = defaults::VALIDATE_SCHEMA;
     }
+    run_as_user = settings.value("run_as_user", "");
 }
 
 ModuleCallbacks::ModuleCallbacks(const std::function<void(ModuleAdapter module_adapter)>& register_module_adapter,

schemas/config.yaml

@@ -61,6 +61,8 @@ properties:
         type: boolean
       validate_schema:
         type: boolean
+      run_as_user:
+        type: string
     additionalProperties: false
   active_modules:
     type: object
@@ -76,6 +78,11 @@ properties:
             type: string
             #  module name
             pattern: ^[a-zA-Z_][a-zA-Z0-9_-]*$
+          capabilities:
+            description: Linux capabilities required to run this module
+            type: array
+            items:
+              type: string
           config_module:
             description: Config map for the module
             $ref: '#/$defs/config_map'

schemas/manifest.yaml

@@ -32,14 +32,6 @@ properties:
   description:
     type: string
     minLength: 2
-  capabilities:
-    description: linux capabilities this module should have (allowlist)
-    type: array
-    minItems: 0
-    items:
-      type: string
-      minLength: 6
-    default: []
   config:
     description: >-
       Config set for this module (and possibly default values) declared

src/CMakeLists.txt

@@ -1,12 +1,18 @@
 add_subdirectory(controller)
 
-add_executable(manager manager.cpp)
+add_executable(manager)
+target_sources(manager
+    PRIVATE
+        system_unix.cpp
+        manager.cpp
+)
 
 target_link_libraries(manager
     PRIVATE
+        Boost::program_options
+        PkgConfig::libcap
         everest::framework
         controller-ipc
-        Boost::program_options
 )
 
 target_compile_options(manager PRIVATE ${COMPILER_WARNING_OPTIONS})