On 7/22/21 11:29 AM, Michal Privoznik wrote: > After all capabilities were set (except for CAP_SETGID, > CAP_SETUID and CAP_SETPCAP) and after UID:GID was changed we drop > the last aforementioned capabilities (we couldn't drop them > before because we needed UID:GID and capabilities change). > Therefore, there's final capng_apply() call. However, it's return > value is not checked for properly. It's typical problem of: > > var = func() < 0 > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/util/virutil.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/util/virutil.c b/src/util/virutil.c > index ed3d57662b..aba0aea0ff 100644 > --- a/src/util/virutil.c > +++ b/src/util/virutil.c > @@ -1261,7 +1261,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups, > if (need_setpcap) > capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETPCAP); > > - if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) { > + if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) { > virReportError(VIR_ERR_INTERNAL_ERROR, > _("cannot apply process capabilities %d"), capng_ret); > return -1; > Does this have any functional impact? before: if (((a = b()) < c)) after: if ((a = b()) < c) Looks like a paren was dropped off outside, which shouldn't make a difference. So IMO amend the commit message and push as trivial. - Cole