On 03/28/2013 04:04 AM, Paolo Bonzini wrote:
>
>>> /* Change to the temp capabilities */
>>> - if ((capng_ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
>>> + if ((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0) {
>>
>> Beforehand, we limited both caps and bounding set, with an overlarge
>> set, now you are limiting just caps...
>>
>>> + /* Set bounding set while we have CAP_SETPCAP. Unfortunately we cannot
>>> + * do this if we failed to get the capability above, so ignore the
>>> + * return value.
>>> + */
>>> + capng_apply(CAPNG_SELECT_BOUNDS);
>>
>> ...and then separately limiting bounds, but still while having an
>> overlarge set.
>>
>>> capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
>>> CAP_SETPCAP);
>>
>> Here, the set is now pruned to size...
>>
>>>
>>> - if (need_prctl && ((capng_ret =
>>> capng_apply(CAPNG_SELECT_BOTH)) < 0)) {
>>> + if (((capng_ret = capng_apply(CAPNG_SELECT_CAPS)) < 0)) {
>>
>> ...but you are now only limiting caps, not the bounding set. Is that
>> correct?
>
> Yes, the code after capng(CAPNG_SELECT_BOUNDS) does not affect the
> bounding set.
Ah, I see now - the CAPNG_* flags to the second parameter of
capng_update did not alter CAPNG_BOUNDING_SET.
ACK; I've gone ahead and pushed this patch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list