diff options
author | Mario Sanchez Prada <mario@endlessm.com> | 2017-02-06 20:28:49 +0000 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-02-07 17:53:50 +0000 |
commit | a2ceebb38c1ff7ab90d2229c83aa00d14a5a8fce (patch) | |
tree | 2392e3046bd70c16cd8ef112956514b9b31a20a2 | |
parent | a27841ed094b7db7a1cada2086c4bfc4d7ddd842 (diff) | |
download | bubblewrap-a2ceebb38c1ff7ab90d2229c83aa00d14a5a8fce.tar.gz |
Ignore EPERM when dropping caps from bounding set
Some older kernels are buggy with respect to this; see
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077
Fixes: https://github.com/projectatomic/bubblewrap/issues/174
Closes: #175
Approved by: mariospr
-rw-r--r-- | bubblewrap.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index a1848ff..7f3fc28 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -482,10 +482,17 @@ drop_cap_bounding_set (void) { unsigned long cap; + /* We ignore both EINVAL and EPERM, as we are actually relying + * on PR_SET_NO_NEW_PRIVS to ensure the right capabilities are + * available. EPERM in particular can happen with old, buggy + * kernels. See: + * https://github.com/projectatomic/bubblewrap/pull/175#issuecomment-278051373 + * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077 + */ for (cap = 0; cap <= 63; cap++) { int res = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0); - if (res == -1 && errno != EINVAL) + if (res == -1 && !(errno == EINVAL || errno == EPERM)) die_with_error ("Dropping capability %ld from bounds", cap); } } |