basic: Drop ambient inherited capabilities by default
Modify the functions capability_update_inherited_set() and capability_ambient_set_apply() to drop capabilities not explicitly requested by the user.
This commit is contained in:
parent
78af8a798a
commit
82d832b435
|
@ -86,20 +86,17 @@ unsigned long cap_last_cap(void) {
|
||||||
int capability_update_inherited_set(cap_t caps, uint64_t set) {
|
int capability_update_inherited_set(cap_t caps, uint64_t set) {
|
||||||
unsigned long i;
|
unsigned long i;
|
||||||
|
|
||||||
/* Add capabilities in the set to the inherited caps. Do not apply
|
/* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
|
||||||
* them yet. */
|
* Do not apply them yet. */
|
||||||
|
|
||||||
for (i = 0; i <= cap_last_cap(); i++) {
|
for (i = 0; i <= cap_last_cap(); i++) {
|
||||||
|
cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
|
||||||
|
cap_value_t v;
|
||||||
|
|
||||||
if (set & (UINT64_C(1) << i)) {
|
v = (cap_value_t) i;
|
||||||
cap_value_t v;
|
|
||||||
|
|
||||||
v = (cap_value_t) i;
|
if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, flag) < 0)
|
||||||
|
return -errno;
|
||||||
/* Make the capability inheritable. */
|
|
||||||
if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
|
|
||||||
return -errno;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -132,6 +129,17 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
|
||||||
/* Add the capability to the ambient set. */
|
/* Add the capability to the ambient set. */
|
||||||
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
|
||||||
return -errno;
|
return -errno;
|
||||||
|
} else {
|
||||||
|
|
||||||
|
/* Drop the capability so we don't inherit capabilities we didn't ask for. */
|
||||||
|
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return -errno;
|
||||||
|
|
||||||
|
if (r)
|
||||||
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
|
||||||
|
return -errno;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue