[PATCH 1/2] virSetUIDGIDWithCaps: Check for capng_apply() retval properly

[Cole Robinson]

On 7/22/21 11:29 AM, Michal Privoznik wrote:
> After all capabilities were set (except for CAP_SETGID,
> CAP_SETUID and CAP_SETPCAP) and after UID:GID was changed we drop
> the last aforementioned capabilities (we couldn't drop them
> before because we needed UID:GID and capabilities change).
> Therefore, there's final capng_apply() call. However, it's return
> value is not checked for properly. It's typical problem of:
> 
>   var = func() < 0
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/util/virutil.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index ed3d57662b..aba0aea0ff 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -1261,7 +1261,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
>      if (need_setpcap)
>          capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
>  
> -    if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
> +    if  ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
>          virReportError(VIR_ERR_INTERNAL_ERROR,
>                         _("cannot apply process capabilities %d"), capng_ret);
>          return -1;
> 

Does this have any functional impact?

before: if (((a = b()) < c))
after:  if  ((a = b()) < c)

Looks like a paren was dropped off outside, which shouldn't make a
difference. So IMO amend the commit message and push as trivial.

- Cole