mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-02 23:03:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

execute: don't choke when systemd was compiled with a different CAP_LAST_CAP then what it is run with

Browse Source
This commit is contained in:
Lennart Poettering 2011-06-28 13:33:56 +02:00
parent c99ddfaa1a
commit ae556c2109
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/execute.c
View File

@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {
}
}
for (i = 0; i <= CAP_LAST_CAP; i++)
for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
if (prctl(PR_CAPBSET_DROP, i) < 0) {
if (errno == EINVAL)
break;
r = -errno;
goto finish;
}
@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
(c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
if (c->capability_bounding_set_drop) {
unsigned long l;
fprintf(f, "%sCapabilityBoundingSet:", prefix);
for (i = 0; i <= CAP_LAST_CAP; i++)
if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
char *t;
if ((t = cap_to_name(i))) {
if ((t = cap_to_name(l))) {
fprintf(f, " %s", t);
cap_free(t);
}

2
src/nspawn.c
View File

@ -347,7 +347,7 @@ static int drop_capabilities(void) {
/* If this capability is not known, EINVAL
* will be returned, let's ignore this. */
if (errno == EINVAL)
continue;
break;
log_error("PR_CAPBSET_DROP failed: %m");
return -errno;