From: Michal Privoznik Date: Mon, 11 Sep 2023 08:47:01 +0000 (+0200) Subject: lxc_container: Check retval of capng_get_caps_process() X-Git-Tag: v9.8.0-rc1~140 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3222c9ca6723905e628d4c9989c5744a16f1dcde;p=thirdparty%2Flibvirt.git lxc_container: Check retval of capng_get_caps_process() Added in v0.6.5~14 the call to capng_get_caps_process() inside of lxcContainerDropCapabilities() is not really explained in the commit message. But looking into the libcap-ng sources it's to initialize the internal state of the library. But with recent libcap-ng commit [1] (which some bleeding edge distros - like Fedora rawhide - already picked up) the function has been marked as 'warn unused result'. Well, check for its retval then. 1: https://github.com/stevegrubb/libcap-ng/commit/a0743c335c9a16a2fda9b25120a5523742119e47 Signed-off-by: Michal Privoznik Reviewed-by: Ján Tomko Reviewed-by: Martin Kletzander --- diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 21220661f7..fe1e190fa9 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1725,7 +1725,13 @@ static int lxcContainerDropCapabilities(virDomainDef *def, CAP_SYSLOG, CAP_WAKE_ALARM}; - capng_get_caps_process(); + /* Init the internal state of capng */ + if ((ret = capng_get_caps_process()) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Failed to get current process capabilities: %1$d"), + ret); + return -1; + } /* Make sure we drop everything if required by the user */ if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_DENY)