capng_apply: apply CAPNG_SELECT_CAPS before CAPNG_SELECT_BOUNDS #23
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When using capng_apply(CAPNG_SELECT_BOTH), libcap-ng before version 0.8.1 silently skipped applying bounding capabilities if CAP_SETPCAP was not given and continued to apply CAPNG_SELECT_CAPS. libcap-ng 0.8.1 changed this behaviour in commits 6a24a9c and 2ab6a03 to return with an error when trying to set bounding capabilities without having CAP_SETPCAP. While this change generally is useful to be able to detect more errors, it means that capng_apply(CAPNG_SELECT_BOTH) now does not even apply CAPNG_SELECT_CAPS any more since the function returns early after failing to apply the bounding capabilities. This change in behaviour might be surprising for legacy code that simply copied capng_apply(CAPNG_SELECT_BOTH) from the example code in the README and does not check the return value to see whether something went wrong. In this case, no capabilities are applied at all any more, which is a breaking change. Applying CAPNG_SELECT_CAPS before CAPNG_SELECT_BOUNDS means that at least the CAPNG_SELECT_CAPS are applied, while still failing with an error of -4 when CAPNG_SELECT_BOTH is used without CAP_SETPCAP. I hope this strikes a balance between the need for better error checking and backwards compatibility with legacy code that does not perform any error checking on capng_apply, thus silently failing to apply any capabilities at all.
|
The big issue with this approach is that if capabilities are applied and drops CAP_SETPCAP, now you can't change the bounding set. So, it needs to come first. Perhaps we can continue and apply what we can. I'll look more at this. |
I see, I am going to close this PR then.
That would be great, since as of now, a lot of software just silently fails to drop capabilities since it does not have |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using
capng_apply(CAPNG_SELECT_BOTH), libcap-ng before version 0.8.1 silently skipped applying bounding capabilities ifCAP_SETPCAPwas not given and continued to applyCAPNG_SELECT_CAPS.libcap-ng 0.8.1 changed this behaviour in commits 6a24a9c and 2ab6a03 to return with an error when trying to set bounding capabilities without having
CAP_SETPCAP. While this change generally is useful to be able to detect more errors, it means thatcapng_apply(CAPNG_SELECT_BOTH)now does not even applyCAPNG_SELECT_CAPSany more since the function returns early after failing to apply the bounding capabilities.This change in behaviour might be surprising for legacy code that simply copied
capng_apply(CAPNG_SELECT_BOTH)from the example code in the README and does not check the return value to see whether something went wrong. In this case, no capabilities are applied at all any more, which is a breaking change.Applying
CAPNG_SELECT_CAPSbeforeCAPNG_SELECT_BOUNDSmeans that at least theCAPNG_SELECT_CAPSare applied, while still failing with an error of-4whenCAPNG_SELECT_BOTHis used withoutCAP_SETPCAP.I hope this strikes a balance between the need for better error checking and backwards compatibility with legacy code that does not perform any error checking on
capng_apply, thus silently failing to apply any capabilities at all.