diff options
author | Kevin Kuehler <keur@xcf.berkeley.edu> | 2020-03-27 15:57:02 -0700 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-04-01 19:19:09 +0200 |
commit | 1a2f596bcb14786083c522e493497e99f355f06b (patch) | |
tree | eaaf25225880332488309ddfab715ea6536d712e | |
parent | e4b7c40dca12b714932b2b8cea8755d2e31f7703 (diff) | |
download | systemd-1a2f596bcb14786083c522e493497e99f355f06b.tar.gz |
basic: Fix capability_ambient_set_apply for kernels < 4.3
https://github.com/systemd/systemd/pull/14133 made
capability_ambient_set_apply() acquire capabilities that were explicitly
asked for and drop all others. This change means the function is called
even with an empty capability set, opening up a code path for users
without ambient capabilities to call this function. This function will
error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not
understood. This turns capability_ambient_set_apply() into a noop for
kernels < 4.3
Fixes https://github.com/systemd/systemd/issues/15225
(cherry picked from commit 7ea4392f1e444388caa706d6bd64fb7b30dc2903)
-rw-r--r-- | src/basic/capability-util.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c index 93237646cc..caffda62af 100644 --- a/src/basic/capability-util.c +++ b/src/basic/capability-util.c @@ -107,6 +107,10 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { unsigned long i; int r; + /* Check that we can use PR_CAP_AMBIENT or quit early. */ + if (!ambient_capabilities_supported()) + return 0; + /* Add the capabilities to the ambient set. */ if (also_inherit) { |