diff options
| author | Lennart Poettering <lennart@poettering.net> | 2012-04-23 00:32:43 +0200 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2013-09-13 14:24:19 +0100 |
| commit | 2cf320fc82593fd1b3c71688f770e443366780ec (patch) | |
| tree | a30e93011564ecd618f807bb70c4473bd1ca11b7 /bus/selinux.c | |
| parent | efd8209d0530c73bf0a0a4fff8449e76840dcd39 (diff) | |
| download | dbus-2cf320fc82593fd1b3c71688f770e443366780ec.tar.gz | |
selinux: when dropping capabilities only include AUDIT caps if we have them
When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.
This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.
This makes audit/selinux enabled D-Bus work in a Linux container.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Acked-by: Thiago Macieira <thiago@kde.org>
Acked-by: Colin Walters <walters@verbum.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Diffstat (limited to 'bus/selinux.c')
| -rw-r--r-- | bus/selinux.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/bus/selinux.c b/bus/selinux.c index c36c94ec..7ae84d6d 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -1045,8 +1045,9 @@ _dbus_change_to_daemon_user (const char *user, int rc; capng_clear (CAPNG_SELECT_BOTH); - capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, - CAP_AUDIT_WRITE); + if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE)) + capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, + CAP_AUDIT_WRITE); rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); if (rc) { |