Re: [libvirt] [PATCH 1/5] util: simplify virSetUIDGIDWithCaps
On 03/28/2013 04:04 AM, Paolo Bonzini wrote:
>> /* Change to the temp capabilities */
>> - if ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
>> + if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
>
> Beforehand, we limited both caps and bounding set, with an overlarge
> set, now you are limiting just caps...
>
>> + /* Set bounding set while we have CAP_SETPCAP.
Unfortunately we cannot
>> + * do this if we failed to get the capability above, so ignore the
>> + * return value.
>> + */
>> + capng_apply(CAPNG_SELECT_BOUNDS);
>
> ...and then separately limiting bounds, but still while having an
> overlarge set.
>
>> capng_update(CAPNG_DROP,
CAPNG_EFFECTIVE|CAPNG_PERMITTED,
>> CAP_SETPCAP);
>
> Here, the set is now pruned to size...
>
>>
>> - if (need_prctl && ((capng_ret =
>> capng_apply(CAPNG_SELECT_BOTH)) < 0)) {
>> + if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
>
> ...but you are now only limiting caps, not the bounding set. Is that
> correct?
Yes, the code after capng(CAPNG_SELECT_BOUNDS) does not affect the
bounding set.
Ah, I see now - the CAPNG_* flags to the second parameter of
capng_update did not alter CAPNG_BOUNDING_SET.
ACK; I've gone ahead and pushed this patch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)