setpriv: support dumping ambient capabilities

Our code dumping owned capabilities does not yet handle ambient
capabilities, which were only recently introduced with Linux 4.3. This
commit implements printing ambient capabilities if they're supported by
the system.

Based on a patch by Andy Lutomirski.

Reviewed-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Patrick Steinhardt <ps@pks.im>

diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c
index 3ef180cf017b0e33e215fafd1afa9f6f499c3bd8..5216f98ef2db8cdd0ed6c86e2c44f70e5640b2d0 100644 (file)
--- a/sys-utils/setpriv.c
+++ b/sys-utils/setpriv.c
@@ -46,13 +46,19 @@
 # define PR_GET_NO_NEW_PRIVS 39
 #endif
 
+#ifndef PR_CAP_AMBIENT
+# define PR_CAP_AMBIENT                47
+#  define PR_CAP_AMBIENT_IS_SET        1
+#endif
+
 #define SETPRIV_EXIT_PRIVERR 127       /* how we exit when we fail to set privs */
 
 enum cap_type {
        CAP_TYPE_EFFECTIVE   = CAPNG_EFFECTIVE,
        CAP_TYPE_PERMITTED   = CAPNG_PERMITTED,
        CAP_TYPE_INHERITABLE = CAPNG_INHERITABLE,
-       CAP_TYPE_BOUNDING    = CAPNG_BOUNDING_SET
+       CAP_TYPE_BOUNDING    = CAPNG_BOUNDING_SET,
+       CAP_TYPE_AMBIENT     = (1 << 4)
 };
 
 /*
@@ -170,6 +176,9 @@ static int has_cap(enum cap_type which, unsigned int i)
        case CAP_TYPE_INHERITABLE:
        case CAP_TYPE_PERMITTED:
                return capng_have_capability(which, i);
+       case CAP_TYPE_AMBIENT:
+               return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET,
+                               (unsigned long) i, 0UL, 0UL);
        default:
                warnx(_("invalid capability type"));
                return -1;
@@ -365,6 +374,14 @@ static void dump(int dumplevel)
                printf(_("[none]"));
        printf("\n");
 
+       printf(_("Ambient capabilities: "));
+       x = print_caps(stdout, CAP_TYPE_AMBIENT);
+       if (x == 0)
+               printf(_("[none]"));
+       if (x < 0)
+               printf(_("[unsupported]"));
+       printf("\n");
+
        printf(_("Capability bounding set: "));
        if (print_caps(stdout, CAP_TYPE_BOUNDING) == 0)
                printf(_("[none]"));