Check ambient set against bounding set prior to applying ambient set

author sterlinghughes <sterling.hughes@gmail.com>

Thu, 28 May 2020 20:54:27 +0000 (13:54 -0700)

committer Lennart Poettering <lennart@poettering.net>

Fri, 29 May 2020 19:23:26 +0000 (21:23 +0200)
author sterlinghughes <sterling.hughes@gmail.com>
Thu, 28 May 2020 20:54:27 +0000 (13:54 -0700)
committer Lennart Poettering <lennart@poettering.net>
Fri, 29 May 2020 19:23:26 +0000 (21:23 +0200)
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c

index 9dbebfa1678d205b2d7e4f2637e7f15bc9640f44..ac96eabc032ba41b7f61abf748fc6143b97319d3 100644 (file)
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -107,6 +107,18 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
          unsigned long i;
          int r;
  
+        /* Remove capabilities requested in ambient set, but not in the bounding set */
+        for (i = 0; i <= cap_last_cap(); i++) {
+                if (set == 0)
+                        break;
+
+                if (FLAGS_SET(set, (UINT64_C(1) << i)) && prctl(PR_CAPBSET_READ, i) != 1) {
+                        log_debug("Ambient capability %s requested but missing from bounding set,"
+                                        " suppressing automatically.", capability_to_name(i));
+                        set &= ~(UINT64_C(1) << i);
+                }
+        }
+
          /* Add the capabilities to the ambient set (an possibly also the inheritable set) */
  
          /* Check that we can use PR_CAP_AMBIENT or quit early. */
author	sterlinghughes <sterling.hughes@gmail.com>
	Thu, 28 May 2020 20:54:27 +0000 (13:54 -0700)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 29 May 2020 19:23:26 +0000 (21:23 +0200)