On Fri, Jun 25, 2021 at 09:22:56AM +0200, Michal Privoznik wrote:
Bounding set capabilities were introduced in kernel commit of v2.6.25-rc1~912. I guess it is safe to assume that all Linux hosts we ran on have at least that version or newer. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/util/virutil.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
Reviewed-by: Martin Kletzander <mkletzan@xxxxxxxxxx> I guess this one can wait after the release
diff --git a/src/util/virutil.c b/src/util/virutil.c index 199d405286..ed3d57662b 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1182,13 +1182,12 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups, need_setuid = true; capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID); } -# ifdef PR_CAPBSET_DROP - /* If newer kernel, we need also need setpcap to change the bounding set */ + + /* We need also need setpcap to change the bounding set */ if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { need_setpcap = true; capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP); } -# endif /* Tell system we want to keep caps across uid change */ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { -- 2.31.1
Attachment:
signature.asc
Description: PGP signature