[cifs-utils PATCH] cifs.upcall: trim even more capabilities

Thu Feb 16 15:07:25 UTC 2017

Reviewed-by: Simo Sorce <simo at redhat.com>

On Thu, 2017-02-16 at 09:59 -0500, Jeff Layton wrote:
> We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
> only when we are going to probe the environ file.
> 
> Also, fix the non-libcap-ng trim_capabilities prototype.
> 
> Signed-off-by: Jeff Layton <jlayton at samba.org>
> ---
>  cifs.upcall.c | 17 ++++++++---------
>  1 file changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 6d9c427b7032..dae58b919408 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -70,22 +70,21 @@ typedef enum _sectype {
>  
>  #ifdef HAVE_LIBCAP_NG
>  static int
> -trim_capabilities(bool need_ptrace)
> +trim_capabilities(bool need_environ)
>  {
>  	capng_clear(CAPNG_SELECT_BOTH);
>  
> -	/*
> -	 * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
> -	 * change gid and grouplist, and SETUID to change uid.
> -	 */
> +	/* SETUID and SETGID to change uid, gid, and grouplist */
>  	if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> -			CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
> +			CAP_SETUID, CAP_SETGID, -1)) {
>  		syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
>  		return 1;
>  	}
>  
> -	if (need_ptrace &&
> -	    capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
> +	 /* Need PTRACE and DAC_OVERRIDE for environment scraping */
> +	if (need_environ &&
> +	    capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> +			CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) {
>  		syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
>  		return 1;
>  	}
> @@ -109,7 +108,7 @@ drop_all_capabilities(void)
>  }
>  #else /* HAVE_LIBCAP_NG */
>  static int
> -trim_capabilities(void)
> +trim_capabilities(bool unused)
>  {
>  	return 0;
>  }


-- 
Simo Sorce * Red Hat, Inc * New York