From: Mike Yuan Date: Tue, 24 Dec 2024 15:59:48 +0000 (+0100) Subject: capability-util: make CAPABILITY_QUINTET_NULL const, introduce capability_quintet_is_... X-Git-Tag: v258-rc1~1762^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f3854fd6338ae5d9169684cae93fb7de7204232;p=thirdparty%2Fsystemd.git capability-util: make CAPABILITY_QUINTET_NULL const, introduce capability_quintet_is_fully_set() helper Follow-up for 1184626a269e38dcdfcd1042975a31d4eb30cd5e See 9bb64f1b8d2252d558f209a04b171d65b5ef131b for rationale of the first change. --- diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c index 627af121386..ccdb31fe4cd 100644 --- a/src/basic/capability-util.c +++ b/src/basic/capability-util.c @@ -661,11 +661,7 @@ int pidref_get_capability(const PidRef *pidref, CapabilityQuintet *ret) { } } - if (q.effective == CAP_MASK_UNSET || - q.inheritable == CAP_MASK_UNSET || - q.permitted == CAP_MASK_UNSET || - q.effective == CAP_MASK_UNSET || - q.ambient == CAP_MASK_UNSET) + if (!capability_quintet_is_fully_set(&q)) return -EBADMSG; r = pidref_verify(pidref); diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h index 9caae1ac064..89c6cbec414 100644 --- a/src/basic/capability-util.h +++ b/src/basic/capability-util.h @@ -10,8 +10,10 @@ #include "missing_capability.h" #include "pidref.h" -/* Special marker used when storing a capabilities mask as "unset" */ +/* Special marker used when storing a capabilities mask as "unset". This would need to be updated as soon as + * Linux learns more than 63 caps. */ #define CAP_MASK_UNSET UINT64_MAX +assert_cc(CAP_LAST_CAP < 64); /* All possible capabilities bits on */ #define CAP_MASK_ALL UINT64_C(0x7fffffffffffffff) @@ -20,6 +22,10 @@ * be able to use UINT64_MAX as indicator for "not set". The latter makes capability 63 unavailable. */ #define CAP_LIMIT 62 +static inline bool capability_is_set(uint64_t v) { + return v != CAP_MASK_UNSET; +} + unsigned cap_last_cap(void); int have_effective_cap(int value); int capability_gain_cap_setpcap(cap_t *return_caps); @@ -56,8 +62,7 @@ static inline bool cap_test_all(uint64_t caps) { #define CAP_TO_MASK_CORRECTED(x) (1U << ((x) & 31U)) typedef struct CapabilityQuintet { - /* Stores all five types of capabilities in one go. Note that we use UINT64_MAX for unset here. This hence - * needs to be updated as soon as Linux learns more than 63 caps. */ + /* Stores all five types of capabilities in one go. */ uint64_t effective; uint64_t bounding; uint64_t inheritable; @@ -65,13 +70,7 @@ typedef struct CapabilityQuintet { uint64_t ambient; } CapabilityQuintet; -assert_cc(CAP_LAST_CAP < 64); - -#define CAPABILITY_QUINTET_NULL (CapabilityQuintet) { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET } - -static inline bool capability_is_set(uint64_t v) { - return v != CAP_MASK_UNSET; -} +#define CAPABILITY_QUINTET_NULL (const CapabilityQuintet) { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET } static inline bool capability_quintet_is_set(const CapabilityQuintet *q) { return capability_is_set(q->effective) || @@ -81,6 +80,14 @@ static inline bool capability_quintet_is_set(const CapabilityQuintet *q) { capability_is_set(q->ambient); } +static inline bool capability_quintet_is_fully_set(const CapabilityQuintet *q) { + return capability_is_set(q->effective) && + capability_is_set(q->bounding) && + capability_is_set(q->inheritable) && + capability_is_set(q->permitted) && + capability_is_set(q->ambient); +} + /* Mangles the specified caps quintet taking the current bounding set into account: * drops all caps from all five sets if our bounding set doesn't allow them. * Returns true if the quintet was modified. */