diff options
| author | Ismo Puustinen <ismo.puustinen@intel.com> | 2016-01-08 00:00:04 +0200 |
|---|---|---|
| committer | Ismo Puustinen <ismo.puustinen@intel.com> | 2016-01-12 12:14:50 +0200 |
| commit | a103496ca585e22bb5e386e3238b468d133f5659 (patch) | |
| tree | 7d9b33722f54c969fc145f7d5fe31afe13aff09c /src/core/execute.c | |
| parent | f466acdc633fc496961eff0c7f66501f4588e5b6 (diff) | |
capabilities: keep bounding set in non-inverted format.
Change the capability bounding set parser and logic so that the bounding
set is kept as a positive set internally. This means that the set
reflects those capabilities that we want to keep instead of drop.
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 9b76861919..7aeb5f1144 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1866,8 +1866,8 @@ static int exec_child( } } - if (context->capability_bounding_set_drop) { - r = capability_bounding_set_drop(context->capability_bounding_set_drop, false); + if (!cap_test_all(context->capability_bounding_set)) { + r = capability_bounding_set_drop(context->capability_bounding_set, false); if (r < 0) { *exit_status = EXIT_CAPABILITIES; return r; @@ -2114,6 +2114,7 @@ void exec_context_init(ExecContext *c) { c->timer_slack_nsec = NSEC_INFINITY; c->personality = PERSONALITY_INVALID; c->runtime_directory_mode = 0755; + c->capability_bounding_set = CAP_ALL; } void exec_context_done(ExecContext *c) { @@ -2517,12 +2518,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "", (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); - if (c->capability_bounding_set_drop) { + if (c->capability_bounding_set != CAP_ALL) { unsigned long l; fprintf(f, "%sCapabilityBoundingSet:", prefix); for (l = 0; l <= cap_last_cap(); l++) - if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) + if (c->capability_bounding_set & (UINT64_C(1) << l)) fprintf(f, " %s", strna(capability_to_name(l))); fputs("\n", f); |