On Fri, 16 Mar 2012 09:38:10 -0400 Daniel J Walsh wrote:
> On 03/16/2012 08:50 AM, Mikhail Efremov wrote:
> > Hello!
> >
> > The CAP_* constants should not be or'ed, it is the bit numbers. And
> > grant the access to the audit system too.
>
> I talked to the developer of libcap-ng (Steve Grubb) and he stated
> that you are correct but "you should use the 'v' version of update
> which allows you to update in just 1 library call. The
> capabilities should be separated with a comma and to mark the end you
> put a -1:"
>
> capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
> CAP_SYS_ADMIN,
> CAP_FOWNER, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE,
> - -1);
Thanks, I didn't notice this function.
Here are updated patches.
--
WBR, Mikhail Efremov
>From bda9fb4362d3e0791de54b89e65888aff270e6fd Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@xxxxxxxxxxxx>
Date: Fri, 16 Mar 2012 16:19:56 +0400
Subject: [PATCH 1/2] policycoreutils: newrole: Fix drop_capabilities().
The CAP_* constants should not be or'ed, it is the bit
numbers. Use capng_updatev instead (suggested by Daniel J Walsh).
And call capng_setpid() before dropping capabilities,
otherwise child will try to drop capabilities of the parent
process.
---
policycoreutils/newrole/newrole.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 99d0ed7..5d31e77 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -543,6 +543,7 @@ static int restore_environment(int preserve_environment,
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
static int drop_capabilities(int full)
{
+ capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0)
return -1;
@@ -575,6 +576,7 @@ static int drop_capabilities(int full)
*/
static int drop_capabilities(int full)
{
+ capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0)
return -1;
@@ -585,8 +587,11 @@ static int drop_capabilities(int full)
fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1;
}
- if (! full)
- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
+ if (! full)
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP,
+ -1);
+
return capng_apply(CAPNG_SELECT_BOTH);
}
--
1.7.9.3
>From cadfe7b69436dc57fbfe94b517af20ec193fcee0 Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@xxxxxxxxxxxx>
Date: Fri, 16 Mar 2012 16:21:38 +0400
Subject: [PATCH 2/2] policycoreutils: newrole retain CAP_AUDIT_WRITE.
Grant access to the audit system.
---
policycoreutils/newrole/newrole.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 5d31e77..208f0b8 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -589,7 +589,7 @@ static int drop_capabilities(int full)
}
if (! full)
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP,
+ CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE,
-1);
return capng_apply(CAPNG_SELECT_BOTH);
--
1.7.9.3
