[linux-cifs-client] [PATCH] mount.cifs: properly prune the capabilities bounding set
Jeff Layton
jlayton at samba.org
Mon Apr 5 09:26:00 MDT 2010
On Mon, 5 Apr 2010 11:15:26 -0400
Jeff Layton <jlayton at samba.org> wrote:
> ...libcap-ng does this in a much easier fashion. If that's not
> available, then we have to do it manually.
>
> Signed-off-by: Jeff Layton <jlayton at samba.org>
> ---
> configure.ac | 3 +++
> mount.cifs.c | 37 ++++++++++++++++++++++++++++++++++++-
> 2 files changed, 39 insertions(+), 1 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 857b0d8..d734d62 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -100,6 +100,9 @@ AC_FUNC_STRNLEN
> # check for required functions
> AC_CHECK_FUNCS([alarm atexit endpwent getmntent getpass gettimeofday inet_ntop memset realpath setenv strchr strdup strerror strncasecmp strndup strpbrk strrchr strstr strtol strtoul uname], , [AC_MSG_ERROR([necessary functions(s) not found])])
>
> +# check for prctl
> +AC_CHECK_FUNCS([prctl])
> +
> # ugly, but I'm not sure how to check for functions in a library that's not in $LIBS
> cu_saved_libs=$LIBS
> LIBS="$LIBS $KRB5_LDADD"
> diff --git a/mount.cifs.c b/mount.cifs.c
> index 1ff1846..712a8fe 100644
> --- a/mount.cifs.c
> +++ b/mount.cifs.c
> @@ -47,6 +47,9 @@
> #ifdef HAVE_LIBCAP_NG
> #include <cap-ng.h>
> #else /* HAVE_LIBCAP_NG */
> +#ifdef HAVE_PRCTL
> +#include <sys/prctl.h>
> +#endif /* HAVE_PRCTL */
> #ifdef HAVE_LIBCAP
> #include <sys/capability.h>
> #endif /* HAVE_LIBCAP */
> @@ -364,14 +367,46 @@ toggle_cap_dac_override(int enable)
> return 0;
> }
> #else /* HAVE_LIBCAP_NG */
> +#ifdef HAVE_PRCTL
> +static int
> +prune_bounding_set(void)
> +{
> + int i, rc = 0;
> + static int bounding_set_cleared;
> +
> + if (bounding_set_cleared)
> + return 0;
> +
> + for (i = 0; i < CAP_LAST_CAP && rc == 0; ++i)
^^^
Self review here...
That should be '<=' or we miss dropping the last capability in the list.
> + rc = prctl(PR_CAPBSET_DROP, i);
> +
> + if (rc != 0) {
> + fprintf(stderr, "Unable to clear capability bounding set: %d\n", rc);
> + return EX_SYSERR;
> + }
> +
> + ++bounding_set_cleared;
> + return 0;
> +}
> +#else /* HAVE_PRCTL */
> +static int
> +prune_bounding_set(void)
> +{
> + return 0;
> +}
> +#endif /* HAVE_PRCTL */
> #ifdef HAVE_LIBCAP
> static int
> drop_capabilities(int parent)
> {
> - int rc = 0, ncaps;
> + int rc, ncaps;
> cap_t caps;
> cap_value_t cap_list[2];
>
> + rc = prune_bounding_set();
> + if (rc)
> + return rc;
> +
> caps = cap_get_proc();
> if (caps == NULL) {
> fprintf(stderr, "Unable to get current capability set: %s\n",
--
Jeff Layton <jlayton at samba.org>
More information about the linux-cifs-client
mailing list