diff options
author | Lennart Poettering <lennart@poettering.net> | 2011-06-28 13:33:56 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2011-06-28 13:33:56 +0200 |
commit | ae556c210942cb6986c6d77b58505b5daa66bbe2 (patch) | |
tree | f997b64a44df03bd846f8edd8529767e9ca77acc | |
parent | c99ddfaa1ad5cfe257ebb507934e49f66d149650 (diff) |
execute: don't choke when systemd was compiled with a different CAP_LAST_CAP then what it is run with
-rw-r--r-- | src/execute.c | 12 | ||||
-rw-r--r-- | src/nspawn.c | 4 |
2 files changed, 10 insertions, 6 deletions
diff --git a/src/execute.c b/src/execute.c index a62f9dbbc6..b00ccde4d5 100644 --- a/src/execute.c +++ b/src/execute.c @@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) { } } - for (i = 0; i <= CAP_LAST_CAP; i++) + for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++) if (drop & ((uint64_t) 1ULL << (uint64_t) i)) { if (prctl(PR_CAPBSET_DROP, i) < 0) { + if (errno == EINVAL) + break; + r = -errno; goto finish; } @@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); if (c->capability_bounding_set_drop) { + unsigned long l; fprintf(f, "%sCapabilityBoundingSet:", prefix); - for (i = 0; i <= CAP_LAST_CAP; i++) - if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) { + for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++) + if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) { char *t; - if ((t = cap_to_name(i))) { + if ((t = cap_to_name(l))) { fprintf(f, " %s", t); cap_free(t); } diff --git a/src/nspawn.c b/src/nspawn.c index b5908d63ff..1ade6e25ef 100644 --- a/src/nspawn.c +++ b/src/nspawn.c @@ -332,7 +332,7 @@ static int drop_capabilities(void) { unsigned long l; - for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) { + for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) { unsigned i; for (i = 0; i < ELEMENTSOF(retain); i++) @@ -347,7 +347,7 @@ static int drop_capabilities(void) { /* If this capability is not known, EINVAL * will be returned, let's ignore this. */ if (errno == EINVAL) - continue; + break; log_error("PR_CAPBSET_DROP failed: %m"); return -errno; |