diff options
author | Alexander Larsson <alexl@redhat.com> | 2016-03-30 10:23:07 +0200 |
---|---|---|
committer | Alexander Larsson <alexl@redhat.com> | 2016-03-30 10:23:07 +0200 |
commit | 33e09be5c998019042f03f945ed7e0527ac72f8f (patch) | |
tree | 99c0d64f3a1a94dad3be7693f188e786e5c95ef6 | |
parent | ef09d6fa83e90897e04baa1b9c443d0fe15efc52 (diff) | |
download | xdg-app-33e09be5c998019042f03f945ed7e0527ac72f8f.tar.gz |
helper: Use 64bit capset/capget versions
This fixed kernel warnings about 32bit capabilities APIs on some distros.
-rw-r--r-- | common/xdg-app-helper.c | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/common/xdg-app-helper.c b/common/xdg-app-helper.c index f45069b..36c54f7 100644 --- a/common/xdg-app-helper.c +++ b/common/xdg-app-helper.c @@ -1948,22 +1948,27 @@ do_init (int event_fd, pid_t initial_pid) return initial_exit_status; } -#define REQUIRED_CAPS (CAP_TO_MASK(CAP_SYS_ADMIN)) +/* low 32bit caps needed */ +#define REQUIRED_CAPS_0 (CAP_TO_MASK(CAP_SYS_ADMIN)) +/* high 32bit caps needed */ +#define REQUIRED_CAPS_1 0 static void acquire_caps (void) { struct __user_cap_header_struct hdr; - struct __user_cap_data_struct data; + struct __user_cap_data_struct data[2]; memset (&hdr, 0, sizeof(hdr)); - hdr.version = _LINUX_CAPABILITY_VERSION; + hdr.version = _LINUX_CAPABILITY_VERSION_3; - if (capget (&hdr, &data) < 0) + if (capget (&hdr, data) < 0) die_with_error ("capget failed"); - if (((data.effective & REQUIRED_CAPS) == REQUIRED_CAPS) && - ((data.permitted & REQUIRED_CAPS) == REQUIRED_CAPS)) + if (((data[0].effective & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) && + ((data[0].permitted & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) && + ((data[1].effective & REQUIRED_CAPS_1) == REQUIRED_CAPS_1) && + ((data[1].permitted & REQUIRED_CAPS_1) == REQUIRED_CAPS_1)) is_privileged = TRUE; if (getuid () != geteuid ()) @@ -1980,13 +1985,16 @@ acquire_caps (void) if (is_privileged) { memset (&hdr, 0, sizeof(hdr)); - hdr.version = _LINUX_CAPABILITY_VERSION; + hdr.version = _LINUX_CAPABILITY_VERSION_3; /* Drop all non-require capabilities */ - data.effective = REQUIRED_CAPS; - data.permitted = REQUIRED_CAPS; - data.inheritable = 0; - if (capset (&hdr, &data) < 0) + data[0].effective = REQUIRED_CAPS_0; + data[0].permitted = REQUIRED_CAPS_0; + data[0].inheritable = 0; + data[1].effective = REQUIRED_CAPS_1; + data[1].permitted = REQUIRED_CAPS_1; + data[1].inheritable = 0; + if (capset (&hdr, data) < 0) die_with_error ("capset failed"); } /* Else, we try unprivileged user namespaces */ @@ -1996,18 +2004,21 @@ static void drop_caps (void) { struct __user_cap_header_struct hdr; - struct __user_cap_data_struct data; + struct __user_cap_data_struct data[2]; if (!is_privileged) return; memset (&hdr, 0, sizeof(hdr)); - hdr.version = _LINUX_CAPABILITY_VERSION; - data.effective = 0; - data.permitted = 0; - data.inheritable = 0; - - if (capset (&hdr, &data) < 0) + hdr.version = _LINUX_CAPABILITY_VERSION_3; + data[0].effective = 0; + data[0].permitted = 0; + data[0].inheritable = 0; + data[1].effective = 0; + data[1].permitted = 0; + data[1].inheritable = 0; + + if (capset (&hdr, data) < 0) die_with_error ("capset failed"); if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) < 0) |