diff options
Diffstat (limited to 'packaging/debian/logray.postinst.in')
| -rw-r--r-- | packaging/debian/logray.postinst.in | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/packaging/debian/logray.postinst.in b/packaging/debian/logray.postinst.in new file mode 100644 index 00000000..98f72ab2 --- /dev/null +++ b/packaging/debian/logray.postinst.in @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +# In order to capture system calls via falcosecurity-scap-dkms, we +# currently need read+write access to /dev/scap* and read access to +# various files under /proc, including /proc/<pid>/*, similar to +# the requirements described at +# https://github.com/draios/sysdig/wiki/How%20to%20Install%20Sysdig%20for%20Linux#use-sysdig-as-non-root +# +# Provide an option to install falcodump setuid root for now. +# Hopefully at some point we'll be able to switch to capabilities. +# https://falco.org/docs/install-operate/running/#least-privileged + +# There's no corresponding logray.postrm script because the "scap" group +# might be shared with falcosecurity-scap-dkms, so we don't want to +# remove it here. +# Also, there are arguments against removing groups in general: +# https://wiki.debian.org/AccountHandlingInMaintainerScripts + +. /usr/share/debconf/confmodule +PROGRAM=$(dpkg-divert --truename /usr/lib/@DEB_HOST_MULTIARCH@/logray/extcap/falcodump) +GROUP=scap + +if ! dpkg-statoverride --list $PROGRAM > /dev/null; then + db_get logray/install-setuid + if [ -e "$PROGRAM" ]; then + if [ "$RET" = "false" ] ; then + chown root:root $PROGRAM + chmod u=rwx,go=rx $PROGRAM + else + if ! addgroup --quiet --system $GROUP; then + if ! getent group $GROUP > /dev/null; then + db_input high logray/addgroup-failed || true + db_go + exit 1 + else + db_input high logray/group-is-user-group || true + db_go + fi + fi + chown root:$GROUP $PROGRAM + chmod u=rwxs,g=rx,o=r $PROGRAM + fi + fi +else + dpkg-statoverride --list $PROGRAM +fi + +#DEBHELPER# |