From 05a22eac65c3d7756c08ddc14ece2918517bc8ee Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Sat, 24 Jun 2017 16:04:33 +0200 Subject: setpriv: support dumping ambient capabilities Our code dumping owned capabilities does not yet handle ambient capabilities, which were only recently introduced with Linux 4.3. This commit implements printing ambient capabilities if they're supported by the system. Based on a patch by Andy Lutomirski. Reviewed-by: Andy Lutomirski Signed-off-by: Patrick Steinhardt --- sys-utils/setpriv.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'sys-utils/setpriv.c') diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c index 3ef180cf0..5216f98ef 100644 --- a/sys-utils/setpriv.c +++ b/sys-utils/setpriv.c @@ -46,13 +46,19 @@ # define PR_GET_NO_NEW_PRIVS 39 #endif +#ifndef PR_CAP_AMBIENT +# define PR_CAP_AMBIENT 47 +# define PR_CAP_AMBIENT_IS_SET 1 +#endif + #define SETPRIV_EXIT_PRIVERR 127 /* how we exit when we fail to set privs */ enum cap_type { CAP_TYPE_EFFECTIVE = CAPNG_EFFECTIVE, CAP_TYPE_PERMITTED = CAPNG_PERMITTED, CAP_TYPE_INHERITABLE = CAPNG_INHERITABLE, - CAP_TYPE_BOUNDING = CAPNG_BOUNDING_SET + CAP_TYPE_BOUNDING = CAPNG_BOUNDING_SET, + CAP_TYPE_AMBIENT = (1 << 4) }; /* @@ -170,6 +176,9 @@ static int has_cap(enum cap_type which, unsigned int i) case CAP_TYPE_INHERITABLE: case CAP_TYPE_PERMITTED: return capng_have_capability(which, i); + case CAP_TYPE_AMBIENT: + return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, + (unsigned long) i, 0UL, 0UL); default: warnx(_("invalid capability type")); return -1; @@ -365,6 +374,14 @@ static void dump(int dumplevel) printf(_("[none]")); printf("\n"); + printf(_("Ambient capabilities: ")); + x = print_caps(stdout, CAP_TYPE_AMBIENT); + if (x == 0) + printf(_("[none]")); + if (x < 0) + printf(_("[unsupported]")); + printf("\n"); + printf(_("Capability bounding set: ")); if (print_caps(stdout, CAP_TYPE_BOUNDING) == 0) printf(_("[none]")); -- cgit v1.2.3-55-g7522