From 260abb780a135e4cae8c10715c7e85675efc345a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 18 Mar 2011 03:13:15 +0100 Subject: exec: properly apply capability bounding set, add inverted bounding sets --- src/execute.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'src/execute.c') diff --git a/src/execute.c b/src/execute.c index c1edf61fb1..a467411f7d 100644 --- a/src/execute.c +++ b/src/execute.c @@ -1249,6 +1249,15 @@ int exec_spawn(ExecCommand *command, } } + if (context->capability_bounding_set_drop) + for (i = 0; i <= CAP_LAST_CAP; i++) + if (context->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i)) { + if (prctl(PR_CAPBSET_DROP, i) < 0) { + r = EXIT_CAPABILITIES; + goto fail_child; + } + } + if (context->user) if (enforce_user(context, uid) < 0) { r = EXIT_USER; @@ -1664,15 +1673,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); if (c->capability_bounding_set_drop) { - fprintf(f, "%sCapabilityBoundingSetDrop:", prefix); + fprintf(f, "%sCapabilityBoundingSet:", prefix); for (i = 0; i <= CAP_LAST_CAP; i++) - if (c->capability_bounding_set_drop & (1 << i)) { + if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) { char *t; if ((t = cap_to_name(i))) { fprintf(f, " %s", t); - free(t); + cap_free(t); } } -- cgit v1.2.3-54-g00ecf