lib: Add restrict_access_get/set_dumpable

src/lib/restrict-access.c

@@ -477,14 +477,30 @@ const char *restrict_access_get_current_chroot(void)
 	return chroot_dir;
 }
 
-void restrict_access_allow_coredumps(bool allow ATTR_UNUSED)
+void restrict_access_set_dumpable(bool allow ATTR_UNUSED)
 {
 #ifdef HAVE_PR_SET_DUMPABLE
+	if (prctl(PR_SET_DUMPABLE, allow ? 1 : 0, 0, 0, 0) < 0)
+		i_error("prctl(PR_SET_DUMPABLE) failed: %m");
+#endif
+}
+
+bool restrict_access_get_dumpable(void)
+{
+#ifdef HAVE_PR_SET_DUMPABLE
+	bool allow = FALSE;
+	if (prctl(PR_GET_DUMPABLE, &allow, 0, 0, 0) < 0)
+		i_error("prctl(PR_GET_DUMPABLE) failed: %m");
+	return allow;
+#endif
+	return TRUE;
+}
+
+void restrict_access_allow_coredumps(bool allow)
+{
 	if (getenv("PR_SET_DUMPABLE") != NULL) {
-		if (prctl(PR_SET_DUMPABLE, allow ? 1 : 0, 0, 0, 0) < 0)
-			i_error("prctl(PR_SET_DUMPABLE) failed: %m");
+		restrict_access_set_dumpable(allow);
 	}
-#endif
 }
 
 int restrict_access_use_priv_gid(void)

src/lib/restrict-access.h

@@ -57,6 +57,15 @@ const char *restrict_access_get_current_chroot(void);
 */
 void restrict_access_allow_coredumps(bool allow);
 
+/* Sets process dumpable true or false. Setting this true allows core dumping,
+   reading /proc/self/io, attaching with PTRACE_ATTACH, and also changes
+   ownership of /proc/[pid] directory. */
+void restrict_access_set_dumpable(bool allow);
+
+/* Gets process dumpability, returns TRUE if not supported, because
+   we then assume that constraint is not present. */
+bool restrict_access_get_dumpable(void);
+
 /* If privileged_gid was set, these functions can be used to temporarily
    gain access to the group. */
 int restrict_access_use_priv_gid(void);