From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 24 Jun 2021 14:58:53 +0000 (+0200)
Subject: virSetUIDGIDWithCaps: Assume PR_CAPBSET_DROP is always defined
X-Git-Tag: v7.6.0-rc1~257
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3c05984f2f0c1e484313464cb0d7de3cc68a504;p=thirdparty%2Flibvirt.git

virSetUIDGIDWithCaps: Assume PR_CAPBSET_DROP is always defined

Bounding set capabilities were introduced in kernel commit of
v2.6.25-rc1~912. I guess it is safe to assume that all Linux
hosts we ran on have at least that version or newer.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
---

diff --git a/src/util/virutil.c b/src/util/virutil.c
index 199d405286..ed3d57662b 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -1182,13 +1182,12 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
         need_setuid = true;
         capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID);
     }
-# ifdef PR_CAPBSET_DROP
-    /* If newer kernel, we need also need setpcap to change the bounding set */
+
+    /* We need also need setpcap to change the bounding set */
     if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
         need_setpcap = true;
         capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
     }
-# endif
 
     /* Tell system we want to keep caps across uid change */
     if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {