setpriv: support dumping ambient capabilities

Our code dumping owned capabilities does not yet handle ambient
capabilities, which were only recently introduced with Linux 4.3. This
commit implements printing ambient capabilities if they're supported by
the system.

Based on a patch by Andy Lutomirski.

Reviewed-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Patrick Steinhardt <ps@pks.im>

1 files changed, 18 insertions, 1 deletions

diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c
index 3ef180cf0..5216f98ef 100644
--- a/sys-utils/setpriv.c
+++ b/sys-utils/setpriv.c
@@ -46,13 +46,19 @@
 # define PR_GET_NO_NEW_PRIVS 39
 #endif
 
+#ifndef PR_CAP_AMBIENT
+# define PR_CAP_AMBIENT		47
+#  define PR_CAP_AMBIENT_IS_SET	1
+#endif
+
 #define SETPRIV_EXIT_PRIVERR 127	/* how we exit when we fail to set privs */
 
 enum cap_type {
 	CAP_TYPE_EFFECTIVE   = CAPNG_EFFECTIVE,
 	CAP_TYPE_PERMITTED   = CAPNG_PERMITTED,
 	CAP_TYPE_INHERITABLE = CAPNG_INHERITABLE,
-	CAP_TYPE_BOUNDING    = CAPNG_BOUNDING_SET
+	CAP_TYPE_BOUNDING    = CAPNG_BOUNDING_SET,
+	CAP_TYPE_AMBIENT     = (1 << 4)
 };
 
 /*
@@ -170,6 +176,9 @@ static int has_cap(enum cap_type which, unsigned int i)
 	case CAP_TYPE_INHERITABLE:
 	case CAP_TYPE_PERMITTED:
 		return capng_have_capability(which, i);
+	case CAP_TYPE_AMBIENT:
+		return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET,
+				(unsigned long) i, 0UL, 0UL);
 	default:
 		warnx(_("invalid capability type"));
 		return -1;
@@ -365,6 +374,14 @@ static void dump(int dumplevel)
 		printf(_("[none]"));
 	printf("\n");
 
+	printf(_("Ambient capabilities: "));
+	x = print_caps(stdout, CAP_TYPE_AMBIENT);
+	if (x == 0)
+		printf(_("[none]"));
+	if (x < 0)
+		printf(_("[unsupported]"));
+	printf("\n");
+
 	printf(_("Capability bounding set: "));
 	if (print_caps(stdout, CAP_TYPE_BOUNDING) == 0)
 		printf(_("[none]"));