#include <unistd.h>
#include "alloc-util.h"
+#include "bitfield.h"
#include "cap-list.h"
#include "capability-util.h"
#include "fd-util.h"
int r;
/* Remove capabilities requested in ambient set, but not in the bounding set */
- for (unsigned i = 0; i <= cap_last_cap(); i++) {
- if (set == 0)
- break;
+ BIT_FOREACH(i, set) {
+ assert((unsigned) i <= cap_last_cap());
- if (FLAGS_SET(set, (UINT64_C(1) << i)) && prctl(PR_CAPBSET_READ, i) != 1) {
- log_debug("Ambient capability %s requested but missing from bounding set,"
- " suppressing automatically.", capability_to_name(i));
- set &= ~(UINT64_C(1) << i);
+ if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
+ log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",
+ capability_to_name(i));
+ CLEAR_BIT(set, i);
}
}
}
for (unsigned i = 0; i <= cap_last_cap(); i++) {
-
- if (set & (UINT64_C(1) << i)) {
-
+ if (BIT_SET(set, i)) {
/* Add the capability to the ambient set. */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
return -errno;
} else {
-
/* Drop the capability so we don't inherit capabilities we didn't ask for. */
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
if (r < 0)
return -errno;
-
- if (r)
+ if (r > 0)
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
return -errno;
-
}
}
combined = q->effective | q->bounding | q->inheritable | q->permitted | q->ambient;
- for (unsigned i = 0; i <= cap_last_cap(); i++) {
- unsigned long bit = UINT64_C(1) << i;
- if (!FLAGS_SET(combined, bit))
- continue;
+ BIT_FOREACH(i, combined) {
+ assert((unsigned) i <= cap_last_cap());
- if (prctl(PR_CAPBSET_READ, i) > 0)
+ if (prctl(PR_CAPBSET_READ, (unsigned long) i) > 0)
continue;
- drop |= bit;
+ SET_BIT(drop, i);
- log_debug("Not in the current bounding set: %s", capability_to_name(i));
+ log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i));
}
q->effective &= ~drop;
r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
if (r < 0)
return -errno;
-
- if (r)
- a |= UINT64_C(1) << i;
+ if (r > 0)
+ SET_BIT(a, i);
}
*ret = a;
projects / thirdparty / systemd.git / commitdiff
