Merge pull request #14133 from keur/clear_ambient_inherited

Clear ambient inherited

src/basic/capability-util.c

@@ -86,20 +86,17 @@ unsigned long cap_last_cap(void) {
 int capability_update_inherited_set(cap_t caps, uint64_t set) {
         unsigned long i;
 
-        /* Add capabilities in the set to the inherited caps. Do not apply
-         * them yet. */
+        /* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
+         * Do not apply them yet. */
 
         for (i = 0; i <= cap_last_cap(); i++) {
+                cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
+                cap_value_t v;
 
-                if (set & (UINT64_C(1) << i)) {
-                        cap_value_t v;
-
-                        v = (cap_value_t) i;
+                v = (cap_value_t) i;
 
-                        /* Make the capability inheritable. */
-                        if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
-                                return -errno;
-                }
+                if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, flag) < 0)
+                        return -errno;
         }
 
         return 0;
@@ -132,6 +129,17 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
                         /* Add the capability to the ambient set. */
                         if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
                                 return -errno;
+                } else {
+
+                        /* Drop the capability so we don't inherit capabilities we didn't ask for. */
+                        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
+                        if (r < 0)
+                                return -errno;
+
+                        if (r)
+                                if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
+                                        return -errno;
+
                 }
         }
 

src/core/execute.c

@@ -3595,8 +3595,7 @@ static int exec_child(
 
                 /* This is done before enforce_user, but ambient set
                  * does not survive over setresuid() if keep_caps is not set. */
-                if (!needs_ambient_hack &&
-                    context->capability_ambient_set != 0) {
+                if (!needs_ambient_hack) {
                         r = capability_ambient_set_apply(context->capability_ambient_set, true);
                         if (r < 0) {
                                 *exit_status = EXIT_CAPABILITIES;

src/test/test-capability.c

@@ -195,7 +195,7 @@ static void test_update_inherited_set(void) {
         cap_free(caps);
 }
 
-static void test_set_ambient_caps(void) {
+static void test_apply_ambient_caps(void) {
         cap_t caps;
         uint64_t set = 0;
         cap_flag_value_t fv;
@@ -207,11 +207,21 @@ static void test_set_ambient_caps(void) {
         assert_se(!capability_ambient_set_apply(set, true));
 
         caps = cap_get_proc();
+        assert_se(caps);
         assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
-        assert(fv == CAP_SET);
+        assert_se(fv == CAP_SET);
         cap_free(caps);
 
         assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1);
+
+        assert_se(!capability_ambient_set_apply(0, true));
+        caps = cap_get_proc();
+        assert_se(caps);
+        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
+        assert_se(fv == CAP_CLEAR);
+        cap_free(caps);
+
+        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
 }
 
 static void test_ensure_cap_64bit(void) {
@@ -259,7 +269,7 @@ int main(int argc, char *argv[]) {
         fork_test(test_have_effective_cap);
 
         if (run_ambient)
-                fork_test(test_set_ambient_caps);
+                fork_test(test_apply_ambient_caps);
 
         return 0;
 }