Add syslog warning for bad use of capng_apply
This commit is contained in:
parent
5a74f8832e
commit
3c5cc435c9
@ -1,12 +1,50 @@
|
|||||||
diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
|
diff -urp libcap-ng-0.8.3.orig/src/cap-ng.c libcap-ng-0.8.3/src/cap-ng.c
|
||||||
--- libcap-ng-0.8.2.orig/src/cap-ng.c 2020-11-20 15:04:09.000000000 -0500
|
--- libcap-ng-0.8.3.orig/src/cap-ng.c 2021-01-30 09:26:33.000000000 -0500
|
||||||
+++ libcap-ng-0.8.2/src/cap-ng.c 2020-11-20 16:04:55.425496426 -0500
|
+++ libcap-ng-0.8.3/src/cap-ng.c 2021-01-30 09:52:43.507967643 -0500
|
||||||
@@ -698,19 +698,19 @@ int capng_apply(capng_select_t set)
|
@@ -713,6 +713,36 @@ int capng_updatev(capng_act_t action, ca
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#include <sys/param.h>
|
||||||
|
+static char *get_exename(char *exename, int size)
|
||||||
|
+{
|
||||||
|
+ char tmp[PATH_MAX+1];
|
||||||
|
+ int res;
|
||||||
|
+
|
||||||
|
+ /* get the name of the current executable */
|
||||||
|
+ if ((res = readlink("/proc/self/exe", tmp, PATH_MAX)) < -1)
|
||||||
|
+ strcpy(exename, "\"?\"");
|
||||||
|
+ else {
|
||||||
|
+ tmp[res] = '\0';
|
||||||
|
+ snprintf(exename, size, "\"%s\"", tmp);
|
||||||
|
+ }
|
||||||
|
+ return exename;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#include <syslog.h>
|
||||||
|
+static void log_problem(unsigned int msg)
|
||||||
|
+{
|
||||||
|
+ static const char *text[3] = {
|
||||||
|
+ "dropping bounding set",
|
||||||
|
+ "getting new bounding set",
|
||||||
|
+ "due to not having CAP_SETPCAP"
|
||||||
|
+ };
|
||||||
|
+ unsigned idx = msg - 2;
|
||||||
|
+ char exe[2048];
|
||||||
|
+ syslog(LOG_ERR, "libcap-ng used by %s failed %s in capng_apply",
|
||||||
|
+ get_exename(exe, 2047), text[idx]);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int capng_apply(capng_select_t set)
|
||||||
|
{
|
||||||
|
int rc = 0;
|
||||||
|
@@ -733,19 +763,22 @@ int capng_apply(capng_select_t set)
|
||||||
if (capng_have_capability(CAPNG_BOUNDING_SET,
|
if (capng_have_capability(CAPNG_BOUNDING_SET,
|
||||||
i) == 0) {
|
i) == 0) {
|
||||||
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
|
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) <0) {
|
||||||
- rc = -2;
|
- rc = -2;
|
||||||
+// rc = -2;
|
+// rc = -2;
|
||||||
|
+ log_problem(2);
|
||||||
goto try_caps;
|
goto try_caps;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -15,12 +53,14 @@ diff -urp libcap-ng-0.8.2.orig/src/cap-ng.c libcap-ng-0.8.2/src/cap-ng.c
|
|||||||
if (get_bounding_set() < 0) {
|
if (get_bounding_set() < 0) {
|
||||||
- rc = -3;
|
- rc = -3;
|
||||||
+// rc = -3;
|
+// rc = -3;
|
||||||
|
+ log_problem(3);
|
||||||
goto try_caps;
|
goto try_caps;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
memcpy(&m, &state, sizeof(m)); /* restore state */
|
memcpy(&m, &state, sizeof(m)); /* restore state */
|
||||||
- rc = -4;
|
- rc = -4;
|
||||||
+// rc = -4;
|
+// rc = -4;
|
||||||
|
+ log_problem(4);
|
||||||
goto try_caps;
|
goto try_caps;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Alternate posix capabilities library
|
Summary: Alternate posix capabilities library
|
||||||
Name: libcap-ng
|
Name: libcap-ng
|
||||||
Version: 0.8.2
|
Version: 0.8.2
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: https://people.redhat.com/sgrubb/libcap-ng/
|
URL: https://people.redhat.com/sgrubb/libcap-ng/
|
||||||
Source0: https://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
|
Source0: https://people.redhat.com/sgrubb/libcap-ng/%{name}-%{version}.tar.gz
|
||||||
@ -95,6 +95,9 @@ make check
|
|||||||
%attr(0644,root,root) %{_mandir}/man8/*
|
%attr(0644,root,root) %{_mandir}/man8/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Jan 30 2021 Steve Grubb <sgrubb@redhat.com> 0.8.2-3
|
||||||
|
- Add syslog warning for bad use of capng_apply
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user