Skip to content

Commit

Permalink
Detect capability options at runtime to make containerization easier
Browse files Browse the repository at this point in the history
  • Loading branch information
@RH-steve-grubb
RH-steve-grubb committed Sep 28, 2021
1 parent 75f6bb5 commit 187ed53
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 15 deletions.
1 change: 1 addition & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
0.8.3
- Fix parameters to capng_updatev python bindings to be signed
- Detect capability options at runtime to make containerization easier (ntkme)

0.8.2
- In capng_apply, if we blew up in bounding set, allow setting capabilities
Expand Down
40 changes: 25 additions & 15 deletions src/cap-ng.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/* libcap-ng.c --
* Copyright 2009-10, 2013, 2017, 2020 Red Hat Inc.
* Copyright 2009-10, 2013, 2017, 2020-21 Red Hat Inc.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
Expand Down Expand Up @@ -61,16 +61,16 @@ unsigned int last_cap hidden = 0;
* 4.14 kernel VFS_CAP_REVISION_3
*/
#ifdef PR_CAPBSET_DROP
int HAVE_PR_CAPBSET_DROP hidden = 1;
static int HAVE_PR_CAPBSET_DROP = 0;
#endif
#ifdef PR_SET_SECUREBITS
int HAVE_PR_SET_SECUREBITS hidden = 1;
static int HAVE_PR_SET_SECUREBITS = 0;
#endif
#ifdef PR_SET_NO_NEW_PRIVS
int HAVE_PR_SET_NO_NEW_PRIVS hidden = 1;
static int HAVE_PR_SET_NO_NEW_PRIVS = 0;
#endif
#ifdef PR_CAP_AMBIENT
int HAVE_PR_CAP_AMBIENT hidden = 1;
static int HAVE_PR_CAP_AMBIENT = 0;
#endif

/* External syscall prototypes */
Expand Down Expand Up @@ -261,20 +261,28 @@ static void init_lib(void)
}
// Detect prctl options at runtime
#ifdef PR_CAPBSET_DROP
if (prctl(PR_CAPBSET_READ, 0, 0, 0, 0) < 0 && errno == EINVAL)
HAVE_PR_CAPBSET_DROP = 0;
errno = 0;
prctl(PR_CAPBSET_READ, 0, 0, 0, 0);
if (!errno)
HAVE_PR_CAPBSET_DROP = 1;
#endif
#ifdef PR_SET_SECUREBITS
if (prctl(PR_GET_SECUREBITS, 0, 0, 0, 0) < 0 && errno == EINVAL)
HAVE_PR_SET_SECUREBITS = 0;
errno = 0;
prctl(PR_GET_SECUREBITS, 0, 0, 0, 0);
if (!errno)
HAVE_PR_SET_SECUREBITS = 1;
#endif
#ifdef PR_SET_NO_NEW_PRIVS
if (prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) < 0 && errno == EINVAL)
HAVE_PR_SET_NO_NEW_PRIVS = 0;
errno = 0;
prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (!errno)
HAVE_PR_SET_NO_NEW_PRIVS = 1;
#endif
#ifdef PR_CAP_AMBIENT
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, 0, 0, 0) < 0 && errno == EINVAL)
HAVE_PR_CAP_AMBIENT = 0;
errno = 0;
prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, 0, 0, 0);
if (!errno)
HAVE_PR_CAP_AMBIENT = 1;
#endif
}

Expand Down Expand Up @@ -1132,7 +1140,8 @@ if (HAVE_PR_CAPBSET_DROP) {
else
return CAPNG_PARTIAL;
}
}
} else
empty = 1;
#endif
#ifdef PR_CAP_AMBIENT
if (HAVE_PR_CAP_AMBIENT) {
Expand All @@ -1150,7 +1159,8 @@ if (HAVE_PR_CAP_AMBIENT) {
else
return CAPNG_PARTIAL;
}
}
} else
empty = 1;
#endif
if (empty == 1 && full == 0)
return CAPNG_NONE;
Expand Down

0 comments on commit 187ed53

Please sign in to comment.