Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle new capabilities gracefully #16420

Closed
wants to merge 2 commits into from
Closed

Handle new capabilities gracefully #16420

wants to merge 2 commits into from

Conversation

keszybz
Copy link
Member

@keszybz keszybz commented Jul 9, 2020

No description provided.

@keszybz
basic/cap-list: parse/print numerical capabilities
ad55490 
We would refuse to print capabilities which were didn't have a name
for. The kernel adds new capabilities from time to time, most recently
cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
"Failed to parse bus message: Invalid argument" because
capability_set_to_string_alloc() would fail with -EINVAL. So let's
print such capabilities in hexadecimal:

CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
  cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
  cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
  cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
  0x17 0x18 0x19 0x1a ...

For symmetry, also allow capabilities that we don't know to be specified.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
@keszybz
basic/cap-list: reduce scope of variables
11f91d9
poettering
poettering requested changes Jul 10, 2020
View reviewed changes
src/basic/cap-list.c
if (!p)
return -EINVAL;
if (!p) {
xsprintf(buf, "0x%lx", i);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i is an int, hence just use %x rather than %lxhere?

src/basic/cap-list.c
@@ -36,7 +37,7 @@ int capability_from_name(const char *name) {
/* Try to parse numeric capability */
r = safe_atoi(name, &i);
if (r >= 0) {
if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
if (i >= 0 &&)
return i;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, given that we store caps masks in a 64 bit unsigned integer we should refuse caps > 63 here

@poettering poettering added ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels Jul 10, 2020
@keszybz
Copy link
Member Author

keszybz commented Jul 10, 2020

Oh, I pushed the branch to the main repo by mistake. I'll open a new pull request with the latest version.

@keszybz keszybz closed this Jul 10, 2020
@keszybz keszybz deleted the cap-bpf-compat branch July 10, 2020 16:47
@keszybz keszybz mentioned this pull request Jul 10, 2020
Merged
@samdoran samdoran mentioned this pull request Oct 1, 2020
Closed
pm98zz-c pushed a commit to codeenigma/ce-dev that referenced this pull request Oct 6, 2020
Workaround bug in systemd systemd/systemd#16420
a4c11e8
@iboernig iboernig mentioned this pull request Dec 15, 2020
Closed
@lguohan lguohan mentioned this pull request Feb 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panaman67 panaman67 panaman67 left review comments

@poettering poettering poettering requested changes

Assignees
No one assigned
Labels
ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR replaced-by-newer-pr reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks util-lib
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@keszybz @poettering @panaman67