basic: Drop ambient inherited capabilities by default

Modify the functions capability_update_inherited_set() and capability_ambient_set_apply() to drop capabilities not explicitly requested by the user.
author: Kevin Kuehler <keur@xcf.berkeley.edu> 2019-11-24 01:27:09 -0800
committer: Kevin Kuehler <keur@xcf.berkeley.edu> 2019-11-26 11:21:40 -0800
commit: 82d832b435a0ae799011aeec75584af8188fb8db (patch)
tree: 75cdb92f18e5051f561c8905febfbc08daa6e831 /src/basic/capability-util.c
parent: 78af8a798aa9f1100a1228454ff8ebf98ce1b9e5 (diff)
download: systemd-82d832b435a0ae799011aeec75584af8188fb8db.tar.gz
1 files changed, 18 insertions, 10 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index d084ad5cf5..93237646cc 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -86,20 +86,17 @@ unsigned long cap_last_cap(void) {
 int capability_update_inherited_set(cap_t caps, uint64_t set) {
         unsigned long i;
 
-        /* Add capabilities in the set to the inherited caps. Do not apply
-         * them yet. */
+        /* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
+         * Do not apply them yet. */
 
         for (i = 0; i <= cap_last_cap(); i++) {
+                cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
+                cap_value_t v;
 
-                if (set & (UINT64_C(1) << i)) {
-                        cap_value_t v;
-
-                        v = (cap_value_t) i;
+                v = (cap_value_t) i;
 
-                        /* Make the capability inheritable. */
-                        if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
-                                return -errno;
-                }
+                if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, flag) < 0)
+                        return -errno;
         }
 
         return 0;
@@ -132,6 +129,17 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
                         /* Add the capability to the ambient set. */
                         if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
                                 return -errno;
+                } else {
+
+                        /* Drop the capability so we don't inherit capabilities we didn't ask for. */
+                        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
+                        if (r < 0)
+                                return -errno;
+
+                        if (r)
+                                if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
+                                        return -errno;
+
                 }
         }
author	Kevin Kuehler <keur@xcf.berkeley.edu>	2019-11-24 01:27:09 -0800
committer	Kevin Kuehler <keur@xcf.berkeley.edu>	2019-11-26 11:21:40 -0800
commit	82d832b435a0ae799011aeec75584af8188fb8db (patch)
tree	75cdb92f18e5051f561c8905febfbc08daa6e831 /src/basic/capability-util.c
parent	78af8a798aa9f1100a1228454ff8ebf98ce1b9e5 (diff)
download	systemd-82d832b435a0ae799011aeec75584af8188fb8db.tar.gz