-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk45tP0ACgkQrlYvE4MpobOHHwCeOWTYR4JfObd8+28rXv0PKyxm +nIAoIuAgaKKXgrCATqcCHnC9E2Y6/Li =UOlh -----END PGP SIGNATURE-----
>From a83279d4fccf20c0f7a94cbb83b5dd5988056d95 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Wed, 29 Jun 2011 02:56:56 -0400
Subject: [PATCH 018/155] policycoreutils: newrole retain CAP_SETPCAP
We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.
While we are at it, just add some console whine in case things fail.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/newrole/newrole.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 2d31d64..99d0ed7 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -586,7 +586,7 @@ static int drop_capabilities(int full)
return -1;
}
if (! full)
- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
return capng_apply(CAPNG_SELECT_BOTH);
}
@@ -1030,8 +1030,10 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
*/
- if (drop_capabilities(FALSE))
+ if (drop_capabilities(FALSE)) {
+ perror(_("Sorry, newrole failed to drop capabilities\n"));
return -1;
+ }
if (set_signal_handles())
return -1;
--
1.7.6
Attachment:
0018-policycoreutils-newrole-retain-CAP_SETPCAP.patch.sig
Description: PGP signature
