From 260abb780a135e4cae8c10715c7e85675efc345a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 18 Mar 2011 03:13:15 +0100 Subject: exec: properly apply capability bounding set, add inverted bounding sets --- src/load-fragment.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'src/load-fragment.c') diff --git a/src/load-fragment.c b/src/load-fragment.c index 334bc713be..ac22b94509 100644 --- a/src/load-fragment.c +++ b/src/load-fragment.c @@ -852,12 +852,24 @@ static int config_parse_bounding_set( char *w; size_t l; char *state; + bool invert = false; + uint64_t sum = 0; assert(filename); assert(lvalue); assert(rvalue); assert(data); + if (rvalue[0] == '~') { + invert = true; + rvalue++; + } + + /* Note that we store this inverted internally, since the + * kernel wants it like this. But we actually expose it + * non-inverted everywhere to have a fully normalized + * interface. */ + FOREACH_WORD_QUOTED(w, l, rvalue, state) { char *t; int r; @@ -874,9 +886,14 @@ static int config_parse_bounding_set( return 0; } - c->capability_bounding_set_drop |= 1 << cap; + sum |= ((uint64_t) 1ULL) << (uint64_t) cap; } + if (invert) + c->capability_bounding_set_drop |= sum; + else + c->capability_bounding_set_drop |= ~sum; + return 0; } @@ -1772,7 +1789,7 @@ static int load_from_path(Unit *u, const char *path) { { "SyslogLevelPrefix", config_parse_bool, &(context).syslog_level_prefix, section }, \ { "Capabilities", config_parse_capabilities, &(context), section }, \ { "SecureBits", config_parse_secure_bits, &(context), section }, \ - { "CapabilityBoundingSetDrop", config_parse_bounding_set, &(context), section }, \ + { "CapabilityBoundingSet", config_parse_bounding_set, &(context), section }, \ { "TimerSlackNSec", config_parse_timer_slack_nsec,&(context), section }, \ { "LimitCPU", config_parse_limit, &(context).rlimit[RLIMIT_CPU], section }, \ { "LimitFSIZE", config_parse_limit, &(context).rlimit[RLIMIT_FSIZE], section }, \ -- cgit v1.2.3-54-g00ecf