setpriv: proxy function to update capabilities

libcap-ng provides a function to update capabilities with
`capng_update`. As libcap-ng has not yet been updated to enable
modification of ambient capabilities, we cannot use it to update this
set, though. In order to allow easily extending the logic to also handle
ambient capability sets, we create a new function `cap_update`. Right
now, it simply calls out to `capng_update` for all supported capability
types.

Reviewed-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Patrick Steinhardt <ps@pks.im>

1 files changed, 17 insertions, 2 deletions

diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c
index 717aea4d0..3ef180cf0 100644
--- a/sys-utils/setpriv.c
+++ b/sys-utils/setpriv.c
@@ -453,6 +453,21 @@ static void bump_cap(unsigned int cap)
 		capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, cap);
 }
 
+static int cap_update(capng_act_t action,
+		enum cap_type type, unsigned int cap)
+{
+	switch (type) {
+		case CAP_TYPE_EFFECTIVE:
+		case CAP_TYPE_BOUNDING:
+		case CAP_TYPE_INHERITABLE:
+		case CAP_TYPE_PERMITTED:
+			return capng_update(action, (capng_type_t) type, cap);
+		default:
+			errx(EXIT_FAILURE, _("unsupported capability type"));
+			return -1;
+	}
+}
+
 static void do_caps(enum cap_type type, const char *caps)
 {
 	char *my_caps = xstrdup(caps);
@@ -475,11 +490,11 @@ static void do_caps(enum cap_type type, const char *caps)
 				errx(SETPRIV_EXIT_PRIVERR,
 				     _("libcap-ng is too old for \"all\" caps"));
 			for (i = 0; i <= CAP_LAST_CAP; i++)
-				capng_update(action, (capng_type_t) type, i);
+				cap_update(action, type, i);
 		} else {
 			int cap = capng_name_to_capability(c + 1);
 			if (0 <= cap)
-				capng_update(action, (capng_type_t) type, cap);
+				cap_update(action, type, cap);
 			else
 				errx(EXIT_FAILURE,
 				     _("unknown capability \"%s\""), c + 1);