On 03/28/2013 04:04 AM, Paolo Bonzini wrote:
/* Change to the temp capabilities */ - if ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) { + if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
Beforehand, we limited both caps and bounding set, with an overlarge set, now you are limiting just caps...
+ /* Set bounding set while we have CAP_SETPCAP. Unfortunately we cannot + * do this if we failed to get the capability above, so ignore the + * return value. + */ + capng_apply(CAPNG_SELECT_BOUNDS);
...and then separately limiting bounds, but still while having an overlarge set.
capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
Here, the set is now pruned to size...
- if (need_prctl && ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0)) { + if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
...but you are now only limiting caps, not the bounding set. Is that correct?
Yes, the code after capng(CAPNG_SELECT_BOUNDS) does not affect the bounding set.
Ah, I see now - the CAPNG_* flags to the second parameter of capng_update did not alter CAPNG_BOUNDING_SET. ACK; I've gone ahead and pushed this patch. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org