From: Yu Watanabe Date: Thu, 23 Oct 2025 16:52:02 +0000 (+0900) Subject: capability-util: tighten requirement for CAP_LAST_CAP off by one X-Git-Tag: v259-rc1~255^2~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c0cdc4a2ccce078349099ec545c0f685ab71405;p=thirdparty%2Fsystemd.git capability-util: tighten requirement for CAP_LAST_CAP off by one Otherwise, we cannot use UINT64_MAX as 'unset'. --- diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h index 09b612b1e66..fa8b591759c 100644 --- a/src/basic/capability-util.h +++ b/src/basic/capability-util.h @@ -8,7 +8,6 @@ /* Special marker used when storing a capabilities mask as "unset". This would need to be updated as soon as * Linux learns more than 63 caps. */ #define CAP_MASK_UNSET UINT64_MAX -assert_cc(CAP_LAST_CAP < 64); /* All possible capabilities bits on */ #define CAP_MASK_ALL UINT64_C(0x7fffffffffffffff) @@ -16,6 +15,7 @@ assert_cc(CAP_LAST_CAP < 64); /* The largest capability we can deal with, given we want to be able to store cap masks in uint64_t but still * be able to use UINT64_MAX as indicator for "not set". The latter makes capability 63 unavailable. */ #define CAP_LIMIT 62 +assert_cc(CAP_LAST_CAP <= CAP_LIMIT); static inline bool capability_is_set(uint64_t v) { return v != CAP_MASK_UNSET; diff --git a/src/test/test-capability-util.c b/src/test/test-capability-util.c index 881aafbc7f4..67a61c7eaf0 100644 --- a/src/test/test-capability-util.c +++ b/src/test/test-capability-util.c @@ -241,11 +241,9 @@ static void test_ensure_cap_64_bit(void) { ASSERT_OK(safe_atolu(content, &p)); - /* If caps don't fit into 64-bit anymore, we have a problem, fail the test. */ - assert_se(p <= 63); - - /* Also check for the header definition */ - assert_cc(CAP_LAST_CAP <= 63); + /* If caps don't fit into 64-bit anymore, we have a problem, fail the test. Moreover, we use + * UINT64_MAX as unset, hence it must be smaller than or equals to 62 (CAP_LIMIT). */ + assert_se(p <= CAP_LIMIT); } static void test_capability_get_ambient(void) {