summaryrefslogtreecommitdiff
path: root/src/execute.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2011-03-18 03:13:15 +0100
committerLennart Poettering <lennart@poettering.net>2011-03-18 04:52:45 +0100
commit260abb780a135e4cae8c10715c7e85675efc345a (patch)
treea21a20d20b33ea05c68442b9970e0b6d9a02434e /src/execute.c
parent893844ed434e35e6227e0b17c16b7047360170e2 (diff)
exec: properly apply capability bounding set, add inverted bounding sets
Diffstat (limited to 'src/execute.c')
-rw-r--r--src/execute.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/execute.c b/src/execute.c
index c1edf61fb1..a467411f7d 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -1249,6 +1249,15 @@ int exec_spawn(ExecCommand *command,
}
}
+ if (context->capability_bounding_set_drop)
+ for (i = 0; i <= CAP_LAST_CAP; i++)
+ if (context->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i)) {
+ if (prctl(PR_CAPBSET_DROP, i) < 0) {
+ r = EXIT_CAPABILITIES;
+ goto fail_child;
+ }
+ }
+
if (context->user)
if (enforce_user(context, uid) < 0) {
r = EXIT_USER;
@@ -1664,15 +1673,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
(c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
if (c->capability_bounding_set_drop) {
- fprintf(f, "%sCapabilityBoundingSetDrop:", prefix);
+ fprintf(f, "%sCapabilityBoundingSet:", prefix);
for (i = 0; i <= CAP_LAST_CAP; i++)
- if (c->capability_bounding_set_drop & (1 << i)) {
+ if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
char *t;
if ((t = cap_to_name(i))) {
fprintf(f, " %s", t);
- free(t);
+ cap_free(t);
}
}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-09 21:18:01 +0000