diff options
| author | Colin Walters <walters@verbum.org> | 2013-10-27 16:21:19 -0400 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2013-11-01 19:13:21 +0000 |
| commit | 983237258dc440419b863461fae15f31cce08639 (patch) | |
| tree | 58a57555466e5626da6e4fdcb84eff7253cd92ca | |
| parent | 6b3a169bb0d0c7464a861ce1d9a8af4946f62fb1 (diff) | |
| download | dbus-983237258dc440419b863461fae15f31cce08639.tar.gz | |
bus/selinux: Fix previous commit for CAP_AUDIT_WRITE retention
As soon as capng_clear() is called, we won't appear to have
CAP_AUDIT_WRITE. Fix this by checking for it before resetting the
libcap state.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Tested-by: Laurent Bigonville <bigon@debian.org>
Reviewed-by: Laurent Bigonville <bigon@debian.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Lennart Poettering <lennart@poettering.net>
| -rw-r--r-- | bus/selinux.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/bus/selinux.c b/bus/selinux.c index 7ae84d6d..768e55ef 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -1043,9 +1043,15 @@ _dbus_change_to_daemon_user (const char *user, if (_dbus_geteuid () == 0) { int rc; + int have_audit_write; + have_audit_write = capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE); capng_clear (CAPNG_SELECT_BOTH); - if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE)) + /* Only attempt to retain CAP_AUDIT_WRITE if we had it when + * starting. See: + * https://bugs.freedesktop.org/show_bug.cgi?id=49062#c9 + */ + if (have_audit_write) capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); |