lib: Remove [set|drop]_effective_capability and enum smbd_capability

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 12 10:39:38 UTC 2026 on atb-devel-224

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 09516d5b014bfbf1cd533efbb6fa4d700e908d09..e13584c4d6cade60cd0ecb223592997faa3704ca 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -193,8 +193,6 @@ DIR *sys_fdopendir(int fd);
 int sys_mknod(const char *path, mode_t mode, SMB_DEV_T dev);
 int sys_mknodat(int dirfd, const char *path, mode_t mode, SMB_DEV_T dev);
 char *sys_getwd(void);
-void set_effective_capability(enum smbd_capability capability);
-void drop_effective_capability(enum smbd_capability capability);
 void set_dmapi_capability(bool enable);
 void set_dac_override_capability(bool enable);
 long sys_random(void);

diff --git a/source3/include/smb.h b/source3/include/smb.h
index d3b6534cfeba8c8379ed8ffae2208a2f22e62447..50e265f28b0a4bad4638d65222c77694e29a1f46 100644 (file)
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -470,15 +470,6 @@ Offset  Data                  length.
 #define OPLOCKLEVEL_NONE 0
 #define OPLOCKLEVEL_II 1
 
-/*
- * Capabilities abstracted for different systems.
- */
-
-enum smbd_capability {
-    DMAPI_ACCESS_CAPABILITY,
-    DAC_OVERRIDE_CAPABILITY
-};
-
 struct kernel_oplocks_ops;
 struct kernel_oplocks {
        const struct kernel_oplocks_ops *ops;

diff --git a/source3/lib/system.c b/source3/lib/system.c
index 438eea9fcb7f3263750637827e0c13a472fb7262..e3dc53361ba74aa8f27b3c4c65355c0b682e5df3 100644 (file)
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -563,93 +563,6 @@ char *sys_getwd(void)
 
 #if defined(HAVE_POSIX_CAPABILITIES)
 
-/**************************************************************************
- Try and abstract process capabilities (for systems that have them).
-****************************************************************************/
-
-/* Set the POSIX capabilities needed for the given purpose into the effective
- * capability set of the current process. Make sure they are always removed
- * from the inheritable set, because there is no circumstance in which our
- * children should inherit our elevated privileges.
- */
-static bool set_process_capability(enum smbd_capability capability,
-                                  bool enable)
-{
-       /* "5" is the number of "num_cap_vals++" below */
-       cap_value_t cap_vals[5] = {0};
-       size_t num_cap_vals = 0;
-
-       cap_t cap;
-
-#if defined(HAVE_PRCTL) && defined(PR_GET_KEEPCAPS) && defined(PR_SET_KEEPCAPS)
-       /* On Linux, make sure that any capabilities we grab are sticky
-        * across UID changes. We expect that this would allow us to keep both
-        * the effective and permitted capability sets, but as of circa 2.6.16,
-        * only the permitted set is kept. It is a bug (which we work around)
-        * that the effective set is lost, but we still require the effective
-        * set to be kept.
-        */
-       if (!prctl(PR_GET_KEEPCAPS)) {
-               prctl(PR_SET_KEEPCAPS, 1);
-       }
-#endif
-
-       cap = cap_get_proc();
-       if (cap == NULL) {
-               DEBUG(0,("set_process_capability: cap_get_proc failed: %s\n",
-                       strerror(errno)));
-               return False;
-       }
-
-       switch (capability) {
-               /*
-                * WARNING: If you add any #ifdef for a fresh
-                * capability, bump up the array size in the
-                * declaration of cap_vals[] above just to be
-                * trivially safe to never overwrite cap_vals[].
-                */
-               case DMAPI_ACCESS_CAPABILITY:
-#ifdef CAP_DEVICE_MGT
-                       /* IRIX has CAP_DEVICE_MGT for DMAPI access. */
-                       cap_vals[num_cap_vals++] = CAP_DEVICE_MGT;
-#elif CAP_MKNOD
-                       /* Linux has CAP_MKNOD for DMAPI access. */
-                       cap_vals[num_cap_vals++] = CAP_MKNOD;
-#endif
-                       break;
-               case DAC_OVERRIDE_CAPABILITY:
-#ifdef CAP_DAC_OVERRIDE
-                       cap_vals[num_cap_vals++] = CAP_DAC_OVERRIDE;
-#endif
-       }
-
-       if (num_cap_vals == 0) {
-               cap_free(cap);
-               return True;
-       }
-
-       cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
-               enable ? CAP_SET : CAP_CLEAR);
-
-       /* We never want to pass capabilities down to our children, so make
-        * sure they are not inherited.
-        */
-       cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
-
-       if (cap_set_proc(cap) == -1) {
-               DBG_ERR("%s capability %d: cap_set_proc failed: %s\n",
-                       enable ? "adding" : "dropping",
-                       capability, strerror(errno));
-               cap_free(cap);
-               return False;
-       }
-       DBG_INFO("%s capability %d\n",
-                enable ? "added" : "dropped", capability);
-
-       cap_free(cap);
-       return True;
-}
-
 static bool set_one_cap(cap_value_t val, bool enable)
 {
        cap_t cap;
@@ -752,51 +665,6 @@ void set_dac_override_capability(bool enable)
        }
 }
 
-/****************************************************************************
- Gain the oplock capability from the kernel if possible.
-****************************************************************************/
-
-#if defined(HAVE_POSIX_CAPABILITIES) && defined(CAP_DAC_OVERRIDE)
-static bool have_cap_dac_override = true;
-#else
-static bool have_cap_dac_override = false;
-#endif
-
-void set_effective_capability(enum smbd_capability capability)
-{
-       bool ret = false;
-
-       if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
-#if defined(HAVE_POSIX_CAPABILITIES)
-               ret = set_process_capability(capability, True);
-#endif /* HAVE_POSIX_CAPABILITIES */
-       }
-
-       /*
-        * Fallback to become_root() if CAP_DAC_OVERRIDE is not
-        * available.
-        */
-       if (capability == DAC_OVERRIDE_CAPABILITY) {
-               if (!ret) {
-                       have_cap_dac_override = false;
-               }
-               if (!have_cap_dac_override) {
-                       become_root();
-               }
-       }
-}
-
-void drop_effective_capability(enum smbd_capability capability)
-{
-       if (capability != DAC_OVERRIDE_CAPABILITY || have_cap_dac_override) {
-#if defined(HAVE_POSIX_CAPABILITIES)
-               set_process_capability(capability, False);
-#endif /* HAVE_POSIX_CAPABILITIES */
-       } else {
-               unbecome_root();
-       }
-}
-
 /**************************************************************************
  Wrapper for random().
 ****************************************************************************/