Improved checks for fs capabilities, and drop unneeded ones

If we have fs capabilities, we first need to check that we really do
have ipc_lock, and if that's the case we just keep ipc_lock and drop
everything else.

https://bugzilla.gnome.org/show_bug.cgi?id=649560

1 files changed, 17 insertions, 2 deletions

diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
index 5b47f4e7..e15200ae 100644
--- a/daemon/gkd-capability.c
+++ b/daemon/gkd-capability.c
@@ -71,11 +71,26 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
 				early_error ("failed dropping capabilities");
 			break;
 		case CAPNG_FAIL:
-		case CAPNG_NONE:
 			early_error ("error getting process capabilities");
 			break;
+		case CAPNG_NONE:
+			early_error ("insufficient process capabilities");
+			break;
 		case CAPNG_PARTIAL: /* File system based capabilities */
-                        break;
+			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
+				early_error ("insufficient process capabilities");
+				break;
+			}
+
+			/* Drop all capabilities except ipc_lock */
+			capng_clear (CAPNG_SELECT_BOTH);
+			if (capng_update (CAPNG_ADD,
+					  CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+					  CAP_IPC_LOCK) != 0)
+				early_error ("error dropping process capabilities");
+			if (capng_apply (CAPNG_SELECT_BOTH) != 0)
+				early_error ("error dropping process capabilities");
+			break;
 	}
 #endif /* HAVE_LIBCAPNG */
 }