picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #14133 from keur/clear_ambient_inherited

Browse source 
Clear ambient inherited
This commit is contained in:
Lennart Poettering 2019-12-04 10:30:58 +01:00 committed by GitHub
parent b51d61fec6 943800f4e7
commit eaadc03d61
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/basic/capability-util.c
View file

@ -86,20 +86,17 @@ unsigned long cap_last_cap(void) {
int capability_update_inherited_set(cap_t caps, uint64_t set) {
unsigned long i;
/* Add capabilities in the set to the inherited caps. Do not apply
* them yet. */
/* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
* Do not apply them yet. */
for (i = 0; i <= cap_last_cap(); i++) {
cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
cap_value_t v;
if (set & (UINT64_C(1) << i)) {
cap_value_t v;
v = (cap_value_t) i;
v = (cap_value_t) i;
/* Make the capability inheritable. */
if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
return -errno;
}
if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, flag) < 0)
return -errno;
}
return 0;
@ -132,6 +129,17 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
/* Add the capability to the ambient set. */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
return -errno;
} else {
/* Drop the capability so we don't inherit capabilities we didn't ask for. */
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
if (r < 0)
return -errno;
if (r)
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
return -errno;
}
}

3
src/core/execute.c
View file

@ -3595,8 +3595,7 @@ static int exec_child(
/* This is done before enforce_user, but ambient set
* does not survive over setresuid() if keep_caps is not set. */
if (!needs_ambient_hack &&
context->capability_ambient_set != 0) {
if (!needs_ambient_hack) {
r = capability_ambient_set_apply(context->capability_ambient_set, true);
if (r < 0) {
*exit_status = EXIT_CAPABILITIES;

16
src/test/test-capability.c
View file

@ -195,7 +195,7 @@ static void test_update_inherited_set(void) {
cap_free(caps);
}
static void test_set_ambient_caps(void) {
static void test_apply_ambient_caps(void) {
cap_t caps;
uint64_t set = 0;
cap_flag_value_t fv;
@ -207,11 +207,21 @@ static void test_set_ambient_caps(void) {
assert_se(!capability_ambient_set_apply(set, true));
caps = cap_get_proc();
assert_se(caps);
assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
assert(fv == CAP_SET);
assert_se(fv == CAP_SET);
cap_free(caps);
assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
assert_se(!capability_ambient_set_apply(0, true));
caps = cap_get_proc();
assert_se(caps);
assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
assert_se(fv == CAP_CLEAR);
cap_free(caps);
assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
}
static void test_ensure_cap_64bit(void) {
@ -259,7 +269,7 @@ int main(int argc, char *argv[]) {
fork_test(test_have_effective_cap);
if (run_ambient)
fork_test(test_set_ambient_caps);
fork_test(test_apply_ambient_caps);
return 0;
}