Re: [PATCH 2/2] virSetUIDGIDWithCaps: Assume PR_CAPBSET_DROP is always defined

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 25, 2021 at 09:22:56AM +0200, Michal Privoznik wrote:
Bounding set capabilities were introduced in kernel commit of
v2.6.25-rc1~912. I guess it is safe to assume that all Linux
hosts we ran on have at least that version or newer.

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/util/virutil.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)


Reviewed-by: Martin Kletzander <mkletzan@xxxxxxxxxx>

I guess this one can wait after the release

diff --git a/src/util/virutil.c b/src/util/virutil.c
index 199d405286..ed3d57662b 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -1182,13 +1182,12 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
        need_setuid = true;
        capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID);
    }
-# ifdef PR_CAPBSET_DROP
-    /* If newer kernel, we need also need setpcap to change the bounding set */
+
+    /* We need also need setpcap to change the bounding set */
    if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
        need_setpcap = true;
        capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP);
    }
-# endif

    /* Tell system we want to keep caps across uid change */
    if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
--
2.31.1

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux