Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

basic: Fix capability_ambient_set_apply for kernels < 4.3 #15246

Merged
merged 1 commit into from
Mar 29, 2020
Merged

basic: Fix capability_ambient_set_apply for kernels < 4.3 #15246

merged 1 commit into from
Mar 29, 2020

Conversation

kkuehlz
Copy link
Contributor

@kkuehlz kkuehlz commented Mar 27, 2020

#14133 made
capability_ambient_set_apply() acquire capabilities that were explicitly
asked for and drop all others. This change means the function is called
even with an empty capability set, opening up a code path for users
without ambient capabilities to call this function. This function will
error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not
understood. This turns capability_ambient_set_apply() into a noop for
kernels < 4.3

Fixes #15225

@kkuehlz
basic: Fix capability_ambient_set_apply for kernels < 4.3
1121ed2 
systemd#14133 made
capability_ambient_set_apply() acquire capabilities that were explicitly
asked for and drop all others. This change means the function is called
even with an empty capability set, opening up a code path for users
without ambient capabilities to call this function. This function will
error with EINVAL out on kernels < 4.3 because PR_CAP_AMBIENT is not
understood. This turns capability_ambient_set_apply() into a noop for
kernels < 4.3

Fixes systemd#15225
@kkuehlz
Copy link
Contributor Author

kkuehlz commented Mar 27, 2020

I guess I cannot request reviewers through GH so... cc @keszybz @anitazha

@keszybz
Copy link
Member

keszybz commented Mar 29, 2020

Thanks, LGTM.

I guess I cannot request reviewers through GH so... cc @keszybz @anitazha

I generally review all systemd PRs, so I'd see the PR even without a mention or review request.

@keszybz keszybz added the pid1 label Mar 29, 2020
@keszybz keszybz merged commit 7ea4392 into systemd:master Mar 29, 2020
@poettering
Copy link
Member

uh, i don't think setting ambient caps should be a NOP on old kernels. what#s the rationale here? i don't follow?

i mean, I think it's fine to ignore caps the underlying kernel doesn't know, for compat reasons. i also think it's ok to ignore caps not in our own bounding set (since apparently they were made unavailable to us as a whole and we probably should accept that), but if a cap is defined and we have it but cannot pass it, that should be an error condition, and this issue breaks that, no?

what am I missing? @keur can you elaborate?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
pid1
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

systemd 245 fails to complete boot sequence with kernels 3.xx
3 participants
@kkuehlz @keszybz @poettering