capability: use /proc/sys/kernel/cap_last_cap

This file was introduced with linux-3.2, use it instead of probing for it
via prctl(PR_CAPBSET_READ).

For now, keep the old code for backwards compat. We can drop it once 3.2
is our lowest requirement.

The test-cap-list code is extended to verify cap_last_cap() is the same as
we'd get via prctl probing and /proc.

1 files changed, 14 insertions, 0 deletions

diff --git a/src/shared/capability.c b/src/shared/capability.c
index 65d7e038a7..b1be043803 100644
--- a/src/shared/capability.c
+++ b/src/shared/capability.c
@@ -54,11 +54,25 @@ int have_effective_cap(int value) {
 unsigned long cap_last_cap(void) {
         static thread_local unsigned long saved;
         static thread_local bool valid = false;
+        _cleanup_free_ char *content = NULL;
         unsigned long p;
+        int r;
 
         if (valid)
                 return saved;
 
+        /* available since linux-3.2 */
+        r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
+        if (r >= 0) {
+                r = safe_atolu(content, &p);
+                if (r >= 0) {
+                        saved = p;
+                        valid = true;
+                        return p;
+                }
+        }
+
+        /* fall back to syscall-probing for pre linux-3.2 */
         p = (unsigned long) CAP_LAST_CAP;
 
         if (prctl(PR_CAPBSET_READ, p) < 0) {