capability: deal with libcap being older than kernel

2019-03-08 13:27:01 +01:00 · 2019-03-08 13:27:01 +01:00 · 248dd94171
parent c8a79aa812
commit 248dd94171
1 changed files with 18 additions and 3 deletions
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@ -426,8 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                        if (q->inheritable != (uint64_t) -1) {
                                cap_flag_value_t old_value, new_value;

-                                if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value) < 0) {
+                                        if (errno == EINVAL) /* If the kernel knows more caps than this
+                                                              * version of libcap, then this will return
+                                                              * EINVAL. In that case, simply ignore it,
+                                                              * pretend it doesn't exist. */
+                                                continue;
+
                                        return -errno;
+                                }

                                new_value = (q->inheritable & m) ? CAP_SET : CAP_CLEAR;

@ -442,8 +449,12 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                        if (q->permitted != (uint64_t) -1) {
                                cap_flag_value_t old_value, new_value;

-                                if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value) < 0) {
+                                        if (errno == EINVAL)
+                                                continue;
+
                                        return -errno;
+                                }

                                new_value = (q->permitted & m) ? CAP_SET : CAP_CLEAR;

@ -458,8 +469,12 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                        if (q->effective != (uint64_t) -1) {
                                cap_flag_value_t old_value, new_value;

-                                if (cap_get_flag(c, cv, CAP_EFFECTIVE, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_EFFECTIVE, &old_value) < 0) {
+                                        if (errno == EINVAL)
+                                                continue;
+
                                        return -errno;
+                                }

                                new_value = (q->effective & m) ? CAP_SET : CAP_CLEAR;