exec: properly apply capability bounding set, add inverted bounding sets

author: Lennart Poettering <lennart@poettering.net> 2011-03-18 03:13:15 +0100
committer: Lennart Poettering <lennart@poettering.net> 2011-03-18 04:52:45 +0100
commit: 260abb780a135e4cae8c10715c7e85675efc345a (patch)
tree: a21a20d20b33ea05c68442b9970e0b6d9a02434e /src/load-fragment.c
parent: 893844ed434e35e6227e0b17c16b7047360170e2 (diff)
1 files changed, 19 insertions, 2 deletions
diff --git a/src/load-fragment.c b/src/load-fragment.c
index 334bc713be..ac22b94509 100644
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@@ -852,12 +852,24 @@ static int config_parse_bounding_set(
         char *w;
         size_t l;
         char *state;
+        bool invert = false;
+        uint64_t sum = 0;
 
         assert(filename);
         assert(lvalue);
         assert(rvalue);
         assert(data);
 
+        if (rvalue[0] == '~') {
+                invert = true;
+                rvalue++;
+        }
+
+        /* Note that we store this inverted internally, since the
+         * kernel wants it like this. But we actually expose it
+         * non-inverted everywhere to have a fully normalized
+         * interface. */
+
         FOREACH_WORD_QUOTED(w, l, rvalue, state) {
                 char *t;
                 int r;
@@ -874,9 +886,14 @@ static int config_parse_bounding_set(
                         return 0;
                 }
 
-                c->capability_bounding_set_drop |= 1 << cap;
+                sum |= ((uint64_t) 1ULL) << (uint64_t) cap;
         }
 
+        if (invert)
+                c->capability_bounding_set_drop |= sum;
+        else
+                c->capability_bounding_set_drop |= ~sum;
+
         return 0;
 }
 
@@ -1772,7 +1789,7 @@ static int load_from_path(Unit *u, const char *path) {
                 { "SyslogLevelPrefix",      config_parse_bool,            &(context).syslog_level_prefix,                  section   }, \
                 { "Capabilities",           config_parse_capabilities,    &(context),                                      section   }, \
                 { "SecureBits",             config_parse_secure_bits,     &(context),                                      section   }, \
-                { "CapabilityBoundingSetDrop", config_parse_bounding_set, &(context),                                      section   }, \
+                { "CapabilityBoundingSet",  config_parse_bounding_set,    &(context),                                      section   }, \
                 { "TimerSlackNSec",         config_parse_timer_slack_nsec,&(context),                                      section   }, \
                 { "LimitCPU",               config_parse_limit,           &(context).rlimit[RLIMIT_CPU],                   section   }, \
                 { "LimitFSIZE",             config_parse_limit,           &(context).rlimit[RLIMIT_FSIZE],                 section   }, \
author	Lennart Poettering <lennart@poettering.net>	2011-03-18 03:13:15 +0100
committer	Lennart Poettering <lennart@poettering.net>	2011-03-18 04:52:45 +0100
commit	260abb780a135e4cae8c10715c7e85675efc345a (patch)
tree	a21a20d20b33ea05c68442b9970e0b6d9a02434e /src/load-fragment.c
parent	893844ed434e35e6227e0b17c16b7047360170e2 (diff)