[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 1/5] util: simplify virSetUIDGIDWithCaps



On 03/28/2013 04:04 AM, Paolo Bonzini wrote:
> 
>>>      /* Change to the temp capabilities */
>>> -    if ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
>>> +    if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
>>
>> Beforehand, we limited both caps and bounding set, with an overlarge
>> set, now you are limiting just caps...
>>

>>> +    /* Set bounding set while we have CAP_SETPCAP.  Unfortunately we cannot
>>> +     * do this if we failed to get the capability above, so ignore the
>>> +     * return value.
>>> +     */
>>> +    capng_apply(CAPNG_SELECT_BOUNDS);
>>
>> ...and then separately limiting bounds, but still while having an
>> overlarge set.
>>

>>>          capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
>>>          CAP_SETPCAP);
>>
>> Here, the set is now pruned to size...
>>
>>>  
>>> -    if (need_prctl && ((capng_ret =
>>> capng_apply(CAPNG_SELECT_BOTH)) < 0)) {
>>> +    if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
>>
>> ...but you are now only limiting caps, not the bounding set.  Is that
>> correct?
> 
> Yes, the code after capng(CAPNG_SELECT_BOUNDS) does not affect the
> bounding set.

Ah, I see now - the CAPNG_* flags to the second parameter of
capng_update did not alter CAPNG_BOUNDING_SET.

ACK; I've gone ahead and pushed this patch.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]