Tree - rpms/systemd - CentOS Git server

rpms / systemd

Files

Blob Blame History Raw

 From ae556c210942cb6986c6d77b58505b5daa66bbe2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 28 Jun 2011 13:33:56 +0200
Subject: [PATCH] execute: don't choke when systemd was compiled with a
 different CAP_LAST_CAP then what it is run with
 
---
 src/execute.c |   12 ++++++++----
 src/nspawn.c  |    4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)
 
diff --git a/src/execute.c b/src/execute.c
index a62f9db..b00ccde 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {
                 }
         }
 
-        for (i = 0; i <= CAP_LAST_CAP; i++)
+        for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
                 if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
                         if (prctl(PR_CAPBSET_DROP, i) < 0) {
+                                if (errno == EINVAL)
+                                        break;
+
                                 r = -errno;
                                 goto finish;
                         }
@@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                         (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
 
         if (c->capability_bounding_set_drop) {
+                unsigned long l;
                 fprintf(f, "%sCapabilityBoundingSet:", prefix);
 
-                for (i = 0; i <= CAP_LAST_CAP; i++)
-                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
+                for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
+                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
                                 char *t;
 
-                                if ((t = cap_to_name(i))) {
+                                if ((t = cap_to_name(l))) {
                                         fprintf(f, " %s", t);
                                         cap_free(t);
                                 }
diff --git a/src/nspawn.c b/src/nspawn.c
index b5908d6..1ade6e2 100644
--- a/src/nspawn.c
+++ b/src/nspawn.c
@@ -332,7 +332,7 @@ static int drop_capabilities(void) {
 
         unsigned long l;
 
-        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) {
+        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {
                 unsigned i;
 
                 for (i = 0; i < ELEMENTSOF(retain); i++)
@@ -347,7 +347,7 @@ static int drop_capabilities(void) {
                         /* If this capability is not known, EINVAL
                          * will be returned, let's ignore this. */
                         if (errno == EINVAL)
-                                continue;
+                                break;
 
                         log_error("PR_CAPBSET_DROP failed: %m");
                         return -errno;
-- 
1.7.4.4

	From ae556c210942cb6986c6d77b58505b5daa66bbe2 Mon Sep 17 00:00:00 2001
	From: Lennart Poettering <lennart@poettering.net>
	Date: Tue, 28 Jun 2011 13:33:56 +0200
	Subject: [PATCH] execute: don't choke when systemd was compiled with a
	different CAP_LAST_CAP then what it is run with

	---
	src/execute.c \| 12 ++++++++----
	src/nspawn.c \| 4 ++--
	2 files changed, 10 insertions(+), 6 deletions(-)

	diff --git a/src/execute.c b/src/execute.c
	index a62f9db..b00ccde 100644
	--- a/src/execute.c
	+++ b/src/execute.c
	@@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {
	}
	}

	- for (i = 0; i <= CAP_LAST_CAP; i++)
	+ for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
	if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
	if (prctl(PR_CAPBSET_DROP, i) < 0) {
	+ if (errno == EINVAL)
	+ break;
	+
	r = -errno;
	goto finish;
	}
	@@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext c, FILE f, const char *prefix) {
	(c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");

	if (c->capability_bounding_set_drop) {
	+ unsigned long l;
	fprintf(f, "%sCapabilityBoundingSet:", prefix);

	- for (i = 0; i <= CAP_LAST_CAP; i++)
	- if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
	+ for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
	+ if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
	char *t;

	- if ((t = cap_to_name(i))) {
	+ if ((t = cap_to_name(l))) {
	fprintf(f, " %s", t);
	cap_free(t);
	}
	diff --git a/src/nspawn.c b/src/nspawn.c
	index b5908d6..1ade6e2 100644
	--- a/src/nspawn.c
	+++ b/src/nspawn.c
	@@ -332,7 +332,7 @@ static int drop_capabilities(void) {

	unsigned long l;

	- for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) {
	+ for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {
	unsigned i;

	for (i = 0; i < ELEMENTSOF(retain); i++)
	@@ -347,7 +347,7 @@ static int drop_capabilities(void) {
	/* If this capability is not known, EINVAL
	* will be returned, let's ignore this. */
	if (errno == EINVAL)
	- continue;
	+ break;

	log_error("PR_CAPBSET_DROP failed: %m");
	return -errno;
	--
	1.7.4.4

rpms / systemd

Source Code

Files