Tree - rpms/systemd - src.fedoraproject.org

rpms / systemd

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: systemd-maint
EPEL:: systemd-maint
Files

Blob Blame History Raw
From ae556c210942cb6986c6d77b58505b5daa66bbe2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 28 Jun 2011 13:33:56 +0200
Subject: [PATCH] execute: don't choke when systemd was compiled with a
 different CAP_LAST_CAP then what it is run with

---
 src/execute.c |   12 ++++++++----
 src/nspawn.c  |    4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/execute.c b/src/execute.c
index a62f9db..b00ccde 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -957,9 +957,12 @@ static int do_capability_bounding_set_drop(uint64_t drop) {
                 }
         }
 
-        for (i = 0; i <= CAP_LAST_CAP; i++)
+        for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
                 if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
                         if (prctl(PR_CAPBSET_DROP, i) < 0) {
+                                if (errno == EINVAL)
+                                        break;
+
                                 r = -errno;
                                 goto finish;
                         }
@@ -1754,13 +1757,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                         (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
 
         if (c->capability_bounding_set_drop) {
+                unsigned long l;
                 fprintf(f, "%sCapabilityBoundingSet:", prefix);
 
-                for (i = 0; i <= CAP_LAST_CAP; i++)
-                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
+                for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
+                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
                                 char *t;
 
-                                if ((t = cap_to_name(i))) {
+                                if ((t = cap_to_name(l))) {
                                         fprintf(f, " %s", t);
                                         cap_free(t);
                                 }
diff --git a/src/nspawn.c b/src/nspawn.c
index b5908d6..1ade6e2 100644
--- a/src/nspawn.c
+++ b/src/nspawn.c
@@ -332,7 +332,7 @@ static int drop_capabilities(void) {
 
         unsigned long l;
 
-        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) {
+        for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {
                 unsigned i;
 
                 for (i = 0; i < ELEMENTSOF(retain); i++)
@@ -347,7 +347,7 @@ static int drop_capabilities(void) {
                         /* If this capability is not known, EINVAL
                          * will be returned, let's ignore this. */
                         if (errno == EINVAL)
-                                continue;
+                                break;
 
                         log_error("PR_CAPBSET_DROP failed: %m");
                         return -errno;
-- 
1.7.4.4
rpms / systemd

Source Code

Files
