From: Kevin Kuehler Date: Sun, 24 Nov 2019 09:27:09 +0000 (-0800) Subject: basic: Drop ambient inherited capabilities by default X-Git-Tag: v245-rc1~319^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=82d832b435a0ae799011aeec75584af8188fb8db;p=thirdparty%2Fsystemd.git basic: Drop ambient inherited capabilities by default Modify the functions capability_update_inherited_set() and capability_ambient_set_apply() to drop capabilities not explicitly requested by the user. --- diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c index d084ad5cf55..93237646cc9 100644 --- a/src/basic/capability-util.c +++ b/src/basic/capability-util.c @@ -86,20 +86,17 @@ unsigned long cap_last_cap(void) { int capability_update_inherited_set(cap_t caps, uint64_t set) { unsigned long i; - /* Add capabilities in the set to the inherited caps. Do not apply - * them yet. */ + /* Add capabilities in the set to the inherited caps, drops capabilities not in the set. + * Do not apply them yet. */ for (i = 0; i <= cap_last_cap(); i++) { + cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR; + cap_value_t v; - if (set & (UINT64_C(1) << i)) { - cap_value_t v; - - v = (cap_value_t) i; + v = (cap_value_t) i; - /* Make the capability inheritable. */ - if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0) - return -errno; - } + if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, flag) < 0) + return -errno; } return 0; @@ -132,6 +129,17 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { /* Add the capability to the ambient set. */ if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0) return -errno; + } else { + + /* Drop the capability so we don't inherit capabilities we didn't ask for. */ + r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0); + if (r < 0) + return -errno; + + if (r) + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0) + return -errno; + } }