From 39f608e4b0ec2eea0a1a97df14bbcbe511101e18 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 9 Aug 2017 15:07:15 +0200 Subject: [PATCH] capability: add new ambient_capabilities_supported() helper This new function reports whether ambient caps are available, and should be quick because the result is cached. --- src/basic/capability-util.c | 15 +++++++++++++++ src/basic/capability-util.h | 2 ++ src/test/test-capability.c | 2 ++ 3 files changed, 19 insertions(+) diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c index fe10536a699..96c2e992bdd 100644 --- a/src/basic/capability-util.c +++ b/src/basic/capability-util.c @@ -370,3 +370,18 @@ int drop_capability(cap_value_t cv) { return 0; } + +bool ambient_capabilities_supported(void) { + static int cache = -1; + + if (cache >= 0) + return cache; + + /* If PR_CAP_AMBIENT returns something valid, or an unexpected error code we assume that ambient caps are + * available. */ + + cache = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_KILL, 0, 0) >= 0 || + !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS); + + return cache; +} diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h index 35a896e229f..3dc9429153e 100644 --- a/src/basic/capability-util.h +++ b/src/basic/capability-util.h @@ -55,3 +55,5 @@ static inline bool cap_test_all(uint64_t caps) { m = (UINT64_C(1) << (cap_last_cap() + 1)) - 1; return (caps & m) == m; } + +bool ambient_capabilities_supported(void); diff --git a/src/test/test-capability.c b/src/test/test-capability.c index 629bb63c81c..8276c75987d 100644 --- a/src/test/test-capability.c +++ b/src/test/test-capability.c @@ -205,6 +205,8 @@ int main(int argc, char *argv[]) { log_parse_environment(); log_open(); + log_info("have ambient caps: %s", yes_no(ambient_capabilities_supported())); + if (getuid() != 0) return EXIT_TEST_SKIP; -- 2.47.3