Skip to content
Permalink
Browse files
basic/capability-util: let cap_last_cap() return unsigned integer
We never return anything higher than 63, so using "long unsigned"
as the type only confused the reader. (We can still use "long unsigned"
and safe_atolu() to parse the kernel file.)

(cherry picked from commit 864a25d)
  • Loading branch information
keszybz committed Sep 21, 2020
1 parent 325edff commit 261680bc0ea61777ac22ea1c42b0d728ec52ae14
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 27 deletions.
@@ -57,20 +57,19 @@ int capability_list_length(void) {

int capability_set_to_string_alloc(uint64_t set, char **s) {
_cleanup_free_ char *str = NULL;
unsigned long i;
size_t allocated = 0, n = 0;

assert(s);

for (i = 0; i <= cap_last_cap(); i++)
for (unsigned i = 0; i <= cap_last_cap(); i++)
if (set & (UINT64_C(1) << i)) {
const char *p;
char buf[2 + 16 + 1];
size_t add;

p = capability_to_name(i);
if (!p) {
xsprintf(buf, "0x%lx", i);
xsprintf(buf, "0x%x", i);
p = buf;
}

@@ -31,8 +31,8 @@ int have_effective_cap(int value) {
return fv == CAP_SET;
}

unsigned long cap_last_cap(void) {
static thread_local unsigned long saved;
unsigned cap_last_cap(void) {
static thread_local unsigned saved;
static thread_local bool valid = false;
_cleanup_free_ char *content = NULL;
unsigned long p = 0;
@@ -65,7 +65,7 @@ unsigned long cap_last_cap(void) {
if (prctl(PR_CAPBSET_READ, p) < 0) {

/* Hmm, look downwards, until we find one that works */
for (p--; p > 0; p --)
for (p--; p > 0; p--)
if (prctl(PR_CAPBSET_READ, p) >= 0)
break;

@@ -84,12 +84,10 @@ unsigned long cap_last_cap(void) {
}

int capability_update_inherited_set(cap_t caps, uint64_t set) {
unsigned long i;

/* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
* Do not apply them yet. */

for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {
cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
cap_value_t v;

@@ -104,11 +102,10 @@ int capability_update_inherited_set(cap_t caps, uint64_t set) {

int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
_cleanup_cap_free_ cap_t caps = NULL;
unsigned long i;
int r;

/* Remove capabilities requested in ambient set, but not in the bounding set */
for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {
if (set == 0)
break;

@@ -140,7 +137,7 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
return -errno;
}

for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {

if (set & (UINT64_C(1) << i)) {

@@ -167,7 +164,6 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
int capability_bounding_set_drop(uint64_t keep, bool right_now) {
_cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL;
cap_flag_value_t fv;
unsigned long i;
int r;

/* If we are run as PID 1 we will lack CAP_SETPCAP by default
@@ -204,7 +200,7 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) {
if (!after_cap)
return -errno;

for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {
cap_value_t v;

if ((keep & (UINT64_C(1) << i)))
@@ -390,7 +386,6 @@ bool ambient_capabilities_supported(void) {
}

bool capability_quintet_mangle(CapabilityQuintet *q) {
unsigned long i;
uint64_t combined, drop = 0;
bool ambient_supported;

@@ -402,7 +397,7 @@ bool capability_quintet_mangle(CapabilityQuintet *q) {
if (ambient_supported)
combined |= q->ambient;

for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {
unsigned long bit = UINT64_C(1) << i;
if (!FLAGS_SET(combined, bit))
continue;
@@ -431,16 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
int r;

if (q->ambient != (uint64_t) -1) {
unsigned long i;
bool changed = false;

c = cap_get_proc();
if (!c)
return -errno;

/* In order to raise the ambient caps set we first need to raise the matching inheritable + permitted
* cap */
for (i = 0; i <= cap_last_cap(); i++) {
/* In order to raise the ambient caps set we first need to raise the matching
* inheritable + permitted cap */
for (unsigned i = 0; i <= cap_last_cap(); i++) {
uint64_t m = UINT64_C(1) << i;
cap_value_t cv = (cap_value_t) i;
cap_flag_value_t old_value_inheritable, old_value_permitted;
@@ -475,15 +469,14 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {

if (q->inheritable != (uint64_t) -1 || q->permitted != (uint64_t) -1 || q->effective != (uint64_t) -1) {
bool changed = false;
unsigned long i;

if (!c) {
c = cap_get_proc();
if (!c)
return -errno;
}

for (i = 0; i <= cap_last_cap(); i++) {
for (unsigned i = 0; i <= cap_last_cap(); i++) {
uint64_t m = UINT64_C(1) << i;
cap_value_t cv = (cap_value_t) i;

@@ -12,7 +12,7 @@

#define CAP_ALL (uint64_t) -1

unsigned long cap_last_cap(void);
unsigned cap_last_cap(void);
int have_effective_cap(int value);
int capability_bounding_set_drop(uint64_t keep, bool right_now);
int capability_bounding_set_drop_usermode(uint64_t keep);
@@ -650,16 +650,15 @@ _public_ int sd_bus_creds_get_description(sd_bus_creds *c, const char **ret) {
}

static int has_cap(sd_bus_creds *c, size_t offset, int capability) {
unsigned long lc;
size_t sz;

assert(c);
assert(capability >= 0);
assert(c->capability);

lc = cap_last_cap();
unsigned lc = cap_last_cap();

if ((unsigned long) capability > lc)
if ((unsigned) capability > lc)
return 0;

/* If the last cap is 63, then there are 64 caps defined, and we need 2 entries á 32bit hence. *
@@ -240,7 +240,7 @@ static void test_ensure_cap_64bit(void) {
assert_se(p <= 63);

/* Also check for the header definition */
assert_se(CAP_LAST_CAP <= 63);
assert_cc(CAP_LAST_CAP <= 63);
}

int main(int argc, char *argv[]) {

0 comments on commit 261680b

Please sign in to comment.