[PATCH 1/2] virSetUIDGIDWithCaps: Check for capng_apply() retval properly
Cole Robinson
crobinso at redhat.com
Mon Jul 26 00:04:08 UTC 2021
On 7/22/21 11:29 AM, Michal Privoznik wrote:
> After all capabilities were set (except for CAP_SETGID,
> CAP_SETUID and CAP_SETPCAP) and after UID:GID was changed we drop
> the last aforementioned capabilities (we couldn't drop them
> before because we needed UID:GID and capabilities change).
> Therefore, there's final capng_apply() call. However, it's return
> value is not checked for properly. It's typical problem of:
>
> var = func() < 0
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/util/virutil.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index ed3d57662b..aba0aea0ff 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -1261,7 +1261,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
> if (need_setpcap)
> capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
>
> - if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
> + if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
> virReportError(VIR_ERR_INTERNAL_ERROR,
> _("cannot apply process capabilities %d"), capng_ret);
> return -1;
>
Does this have any functional impact?
before: if (((a = b()) < c))
after: if ((a = b()) < c)
Looks like a paren was dropped off outside, which shouldn't make a
difference. So IMO amend the commit message and push as trivial.
- Cole
More information about the libvir-list
mailing list