capability: deal with libcap being older than kernel

author: Lennart Poettering <lennart@poettering.net> 2019-03-08 13:27:01 +0100
committer: Lennart Poettering <lennart@poettering.net> 2019-03-15 15:33:09 +0100
commit: 248dd9417161e4a468cc6f21ad8d410a674f73fa (patch)
tree: 2e400ae7532aff442e4411d26406ac840bed74c5 /src/basic/capability-util.c
parent: c8a79aa8127c40eab63aef4758bc3492db864214 (diff)
download: systemd-248dd9417161e4a468cc6f21ad8d410a674f73fa.tar.gz
1 files changed, 18 insertions, 3 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index b351f23618..e700edf260 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -426,8 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                         if (q->inheritable != (uint64_t) -1) {
                                 cap_flag_value_t old_value, new_value;
 
-                                if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value) < 0) {
+                                        if (errno == EINVAL) /* If the kernel knows more caps than this
+                                                              * version of libcap, then this will return
+                                                              * EINVAL. In that case, simply ignore it,
+                                                              * pretend it doesn't exist. */
+                                                continue;
+
                                         return -errno;
+                                }
 
                                 new_value = (q->inheritable & m) ? CAP_SET : CAP_CLEAR;
 
@@ -442,8 +449,12 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                         if (q->permitted != (uint64_t) -1) {
                                 cap_flag_value_t old_value, new_value;
 
-                                if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value) < 0) {
+                                        if (errno == EINVAL)
+                                                continue;
+
                                         return -errno;
+                                }
 
                                 new_value = (q->permitted & m) ? CAP_SET : CAP_CLEAR;
 
@@ -458,8 +469,12 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                         if (q->effective != (uint64_t) -1) {
                                 cap_flag_value_t old_value, new_value;
 
-                                if (cap_get_flag(c, cv, CAP_EFFECTIVE, &old_value) < 0)
+                                if (cap_get_flag(c, cv, CAP_EFFECTIVE, &old_value) < 0) {
+                                        if (errno == EINVAL)
+                                                continue;
+
                                         return -errno;
+                                }
 
                                 new_value = (q->effective & m) ? CAP_SET : CAP_CLEAR;
author	Lennart Poettering <lennart@poettering.net>	2019-03-08 13:27:01 +0100
committer	Lennart Poettering <lennart@poettering.net>	2019-03-15 15:33:09 +0100
commit	248dd9417161e4a468cc6f21ad8d410a674f73fa (patch)
tree	2e400ae7532aff442e4411d26406ac840bed74c5 /src/basic/capability-util.c
parent	c8a79aa8127c40eab63aef4758bc3492db864214 (diff)
download	systemd-248dd9417161e4a468cc6f21ad8d410a674f73fa.tar.gz