From 3a7e22a5d0ce067600211b43946c3b6cd271c09e Mon Sep 17 00:00:00 2001 From: Jerry Jelinek Date: Wed, 8 Jul 2015 18:13:28 +0000 Subject: OS-4454 systemd fails to exec journald due to failed capset --- usr/src/lib/brand/lx/lx_brand/common/capabilities.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'usr/src/lib') diff --git a/usr/src/lib/brand/lx/lx_brand/common/capabilities.c b/usr/src/lib/brand/lx/lx_brand/common/capabilities.c index 2b46041547..4f72c6c900 100644 --- a/usr/src/lib/brand/lx/lx_brand/common/capabilities.c +++ b/usr/src/lib/brand/lx/lx_brand/common/capabilities.c @@ -63,6 +63,8 @@ typedef struct { #define LX_CAP_VERSION_2 0x20071026 /* deprecated by Linux */ #define LX_CAP_VERSION_3 0x20080522 +#define LX_CAP_SETPCAP 8 + /* * Even though we lack mappings for capabilities higher than 36, it's valuable * to test all the way out to the end of the second field. This ensures that @@ -216,10 +218,24 @@ lx_cap_update_priv(priv_set_t *priv, const uint32_t cap[]) cap_set = LX_CAP_CAPISSET(i, cap); if (lx_cap_mapping[i] == NULL || i > LX_CAP_MAX_VALID) { /* don't allow setting unsupported caps */ - if (cap_set) + if (cap_set) { + /* + * CAP_SETPCAP is a special capability, with + * varying behavior, that can be used to + * control if the process can change other + * process's capabilities, or to control moving + * capabilities between sets. For now we ignore + * this if its passed in. + */ + if (i == LX_CAP_SETPCAP) { + continue; + } + lx_unsupported("set unsupported capability %d", + i); return (-1); - else + } else { continue; + } } for (j = 0; lx_cap_mapping[i][j] != NULL; j++) { priv_set = priv_ismember(priv, lx_cap_mapping[i][j]); -- cgit v1.2.3