diff options
| author | Lennart Poettering <lennart@poettering.net> | 2011-06-28 13:33:56 +0200 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2011-06-28 13:33:56 +0200 | 
| commit | ae556c210942cb6986c6d77b58505b5daa66bbe2 (patch) | |
| tree | f997b64a44df03bd846f8edd8529767e9ca77acc /src | |
| parent | c99ddfaa1ad5cfe257ebb507934e49f66d149650 (diff) | |
execute: don't choke when systemd was compiled with a different CAP_LAST_CAP then what it is run with
Diffstat (limited to 'src')
| -rw-r--r-- | src/execute.c | 12 | ||||
| -rw-r--r-- | src/nspawn.c | 4 | 
2 files changed, 10 insertions, 6 deletions
| diff --git a/src/execute.c b/src/execute.c index a62f9dbbc6..b00ccde4d5 100644 --- a/src/execute.c +++ b/src/execute.c @@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {                  }          } -        for (i = 0; i <= CAP_LAST_CAP; i++) +        for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)                  if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {                          if (prctl(PR_CAPBSET_DROP, i) < 0) { +                                if (errno == EINVAL) +                                        break; +                                  r = -errno;                                  goto finish;                          } @@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {                          (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");          if (c->capability_bounding_set_drop) { +                unsigned long l;                  fprintf(f, "%sCapabilityBoundingSet:", prefix); -                for (i = 0; i <= CAP_LAST_CAP; i++) -                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) { +                for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++) +                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {                                  char *t; -                                if ((t = cap_to_name(i))) { +                                if ((t = cap_to_name(l))) {                                          fprintf(f, " %s", t);                                          cap_free(t);                                  } diff --git a/src/nspawn.c b/src/nspawn.c index b5908d63ff..1ade6e25ef 100644 --- a/src/nspawn.c +++ b/src/nspawn.c @@ -332,7 +332,7 @@ static int drop_capabilities(void) {          unsigned long l; -        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) { +        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {                  unsigned i;                  for (i = 0; i < ELEMENTSOF(retain); i++) @@ -347,7 +347,7 @@ static int drop_capabilities(void) {                          /* If this capability is not known, EINVAL                           * will be returned, let's ignore this. */                          if (errno == EINVAL) -                                continue; +                                break;                          log_error("PR_CAPBSET_DROP failed: %m");                          return -errno; | 
