diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2020-02-23 15:50:51 -0800 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2020-02-23 16:21:40 -0800 |
commit | e20eb695f91b5c3a87039d6b512b28056c71256d (patch) | |
tree | 8ebbd8776824030a95bcac5c4f72e3d5b538f8ea /cap/iab.go | |
parent | ef485973d5547431782f9e5f4323eabfebb38622 (diff) | |
download | libcap2-e20eb695f91b5c3a87039d6b512b28056c71256d.tar.gz |
Implement cap.Launch()
From a Go runtime provide a convenient way to launch a different
process with modified capabilities etc. without disturbing the
security state of the parent.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'cap/iab.go')
-rw-r--r-- | cap/iab.go | 25 |
1 files changed, 16 insertions, 9 deletions
@@ -33,7 +33,7 @@ const ( // IABInit() returns an empty IAB. func IABInit() *IAB { - startUp.Do(cInit) + startUp.Do(multisc.cInit) return &IAB{ i: make([]uint32, words), a: make([]uint32, words), @@ -126,9 +126,8 @@ func (iab *IAB) String() string { return strings.Join(vs, ",") } -// SetProc attempts to change the Inheritable, Ambient and Bounding -// capabilty vectors of the current process. -func (iab *IAB) SetProc() (err error) { +//go:nosplit +func (sc *syscaller) iabSetProc(iab *IAB) (err error) { temp := GetProc() var raising uint32 for i := 0; i < words; i++ { @@ -146,26 +145,26 @@ func (iab *IAB) SetProc() (err error) { if err = working.SetFlag(Effective, true, SETPCAP); err != nil { return } - if err = working.SetProc(); err != nil { + if err = sc.setProc(working); err != nil { return } } defer func() { - if err2 := temp.SetProc(); err == nil { + if err2 := sc.setProc(temp); err == nil { err = err2 } }() - if err = ResetAmbient(); err != nil { + if err = sc.resetAmbient(); err != nil { return } for c := Value(maxValues); c > 0; { c-- offset, mask := omask(c) if iab.a[offset]&mask != 0 { - err = SetAmbient(true, c) + err = sc.setAmbient(true, c) } if err == nil && iab.nb[offset]&mask != 0 { - err = DropBound(c) + err = sc.dropBound(c) } if err != nil { return @@ -174,6 +173,14 @@ func (iab *IAB) SetProc() (err error) { return } +// SetProc attempts to change the Inheritable, Ambient and Bounding +// capabilty vectors of the current process. +func (iab *IAB) SetProc() error { + scwMu.Lock() + defer scwMu.Unlock() + return multisc.iabSetProc(iab) +} + // GetVector returns the raised state of the specific capability bit // of the indicated vector. func (iab *IAB) GetVector(vec Vector, val Value) (bool, error) { |