summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2011-06-28 13:33:56 +0200
committerLennart Poettering <lennart@poettering.net>2011-06-28 13:33:56 +0200
commitae556c210942cb6986c6d77b58505b5daa66bbe2 (patch)
treef997b64a44df03bd846f8edd8529767e9ca77acc
parentc99ddfaa1ad5cfe257ebb507934e49f66d149650 (diff)
execute: don't choke when systemd was compiled with a different CAP_LAST_CAP then what it is run with
-rw-r--r--src/execute.c12
-rw-r--r--src/nspawn.c4
2 files changed, 10 insertions, 6 deletions
diff --git a/src/execute.c b/src/execute.c
index a62f9dbbc6..b00ccde4d5 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {
}
}
- for (i = 0; i <= CAP_LAST_CAP; i++)
+ for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
if (prctl(PR_CAPBSET_DROP, i) < 0) {
+ if (errno == EINVAL)
+ break;
+
r = -errno;
goto finish;
}
@@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
(c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
if (c->capability_bounding_set_drop) {
+ unsigned long l;
fprintf(f, "%sCapabilityBoundingSet:", prefix);
- for (i = 0; i <= CAP_LAST_CAP; i++)
- if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
+ for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
+ if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
char *t;
- if ((t = cap_to_name(i))) {
+ if ((t = cap_to_name(l))) {
fprintf(f, " %s", t);
cap_free(t);
}
diff --git a/src/nspawn.c b/src/nspawn.c
index b5908d63ff..1ade6e25ef 100644
--- a/src/nspawn.c
+++ b/src/nspawn.c
@@ -332,7 +332,7 @@ static int drop_capabilities(void) {
unsigned long l;
- for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) {
+ for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {
unsigned i;
for (i = 0; i < ELEMENTSOF(retain); i++)
@@ -347,7 +347,7 @@ static int drop_capabilities(void) {
/* If this capability is not known, EINVAL
* will be returned, let's ignore this. */
if (errno == EINVAL)
- continue;
+ break;
log_error("PR_CAPBSET_DROP failed: %m");
return -errno;