[PATCH 2/2] virSetUIDGIDWithCaps: Assume PR_CAPBSET_DROP is always defined
Martin Kletzander
mkletzan at redhat.com
Mon Jun 28 15:08:46 UTC 2021
On Fri, Jun 25, 2021 at 09:22:56AM +0200, Michal Privoznik wrote:
>Bounding set capabilities were introduced in kernel commit of
>v2.6.25-rc1~912. I guess it is safe to assume that all Linux
>hosts we ran on have at least that version or newer.
>
>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>---
> src/util/virutil.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
Reviewed-by: Martin Kletzander <mkletzan at redhat.com>
I guess this one can wait after the release
>diff --git a/src/util/virutil.c b/src/util/virutil.c
>index 199d405286..ed3d57662b 100644
>--- a/src/util/virutil.c
>+++ b/src/util/virutil.c
>@@ -1182,13 +1182,12 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
> need_setuid = true;
> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID);
> }
>-# ifdef PR_CAPBSET_DROP
>- /* If newer kernel, we need also need setpcap to change the bounding set */
>+
>+ /* We need also need setpcap to change the bounding set */
> if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
> need_setpcap = true;
> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
> }
>-# endif
>
> /* Tell system we want to keep caps across uid change */
> if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
>--
>2.31.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20210628/6a96a561/attachment-0001.sig>
More information about the libvir-list
mailing list