diff options
author | Andy Lutomirski <luto@kernel.org> | 2015-05-14 23:28:09 -0700 |
---|---|---|
committer | Andy Lutomirski <luto@kernel.org> | 2015-05-14 23:28:09 -0700 |
commit | 7f5afbd175d236afdb2d00a909c1f69d6e9602d4 (patch) | |
tree | ddea2e924777b0f73f709a66e0087acdb76195a6 | |
parent | 860c73ac1acaaae976bdd3bb83b89b0180f0702a (diff) | |
download | util-linux-playground-cap_ambient.tar.gz |
setpriv: Preliminary no_cap_ambient_raise supportcap_ambient
Signed-off-by: Andy Lutomirski <luto@kernel.org>
-rw-r--r-- | sys-utils/setpriv.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c index e44b5f5e47..7907c9f476 100644 --- a/sys-utils/setpriv.c +++ b/sys-utils/setpriv.c @@ -53,6 +53,15 @@ # define PR_CAP_AMBIENT_LOWER 3 #endif +#ifndef SECURE_NO_CAP_AMBIENT_RAISE +# define SECURE_NO_CAP_AMBIENT_RAISE 6 +# define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */ +# define SECBIT_NO_CAP_AMBIENT_RAISE \ + (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) +# define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ + (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) +#endif + #define SETPRIV_EXIT_PRIVERR 127 /* how we exit when we fail to set privs */ /* @@ -226,6 +235,10 @@ static void dump_securebits(void) bits &= ~SECBIT_KEEP_CAPS; dump_one_secbit(&first, &bits, SECBIT_KEEP_CAPS_LOCKED, "keep_caps_locked"); + dump_one_secbit(&first, &bits, SECBIT_NO_CAP_AMBIENT_RAISE, + "no_cap_ambient_raise"); + dump_one_secbit(&first, &bits, SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED, + "no_cap_ambient_raise_locked"); if (bits) { if (!first) printf(","); @@ -514,7 +527,9 @@ static void parse_securebits(struct privctx *opts, const char *arg) SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_KEEP_CAPS | - SECBIT_KEEP_CAPS_LOCKED)) + SECBIT_KEEP_CAPS_LOCKED | + SECBIT_NO_CAP_AMBIENT_RAISE | + SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)) errx(SETPRIV_EXIT_PRIVERR, _("unrecognized securebit set -- refusing to adjust")); @@ -543,6 +558,10 @@ static void parse_securebits(struct privctx *opts, const char *arg) _("adjusting keep_caps does not make sense")); else if (!strcmp(c + 1, "keep_caps_locked")) bit = SECBIT_KEEP_CAPS_LOCKED; /* sigh */ + else if (!strcmp(c + 1, "no_cap_ambient_raise")) + bit = SECBIT_NO_CAP_AMBIENT_RAISE; + else if (!strcmp(c + 1, "no_cap_ambient_raise_locked")) + bit = SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED; else errx(EXIT_FAILURE, _("unrecognized securebit")); |