Check ambient set against bounding set prior to applying ambient set

Fixes #15020
author: sterlinghughes <sterling.hughes@gmail.com> 2020-05-28 13:54:27 -0700
committer: Lennart Poettering <lennart@poettering.net> 2020-05-29 21:23:26 +0200
commit: 8acb11a6a337601a6f307fb50d77b13ffa0b3c5e (patch)
tree: a27da3c97b38b7fd5aff632a3ff21471e93b5a08 /src/basic/capability-util.c
parent: 42ba8d25adcb59a88e3e97143be90d74b481ff0a (diff)
download: systemd-8acb11a6a337601a6f307fb50d77b13ffa0b3c5e.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 9dbebfa167..ac96eabc03 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -107,6 +107,18 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
         unsigned long i;
         int r;
 
+        /* Remove capabilities requested in ambient set, but not in the bounding set */
+        for (i = 0; i <= cap_last_cap(); i++) {
+                if (set == 0)
+                        break;
+
+                if (FLAGS_SET(set, (UINT64_C(1) << i)) && prctl(PR_CAPBSET_READ, i) != 1) {
+                        log_debug("Ambient capability %s requested but missing from bounding set,"
+                                        " suppressing automatically.", capability_to_name(i));
+                        set &= ~(UINT64_C(1) << i);
+                }
+        }
+
         /* Add the capabilities to the ambient set (an possibly also the inheritable set) */
 
         /* Check that we can use PR_CAP_AMBIENT or quit early. */
author	sterlinghughes <sterling.hughes@gmail.com>	2020-05-28 13:54:27 -0700
committer	Lennart Poettering <lennart@poettering.net>	2020-05-29 21:23:26 +0200
commit	8acb11a6a337601a6f307fb50d77b13ffa0b3c5e (patch)
tree	a27da3c97b38b7fd5aff632a3ff21471e93b5a08 /src/basic/capability-util.c
parent	42ba8d25adcb59a88e3e97143be90d74b481ff0a (diff)
download	systemd-8acb11a6a337601a6f307fb50d77b13ffa0b3c5e.tar.gz