restore: Skip dropping BSET capability if irrelevant.

prctl(NO_NEW_PRIVS) when set prevents child processes gaining capabilities not in permitted set. In this case, inability to clear capability from BSET that is not in the permitted set is harmless. Signed-off-by: Michał Mirosław <emmir@google.com>
2025-08-22 01:51:51 +00:00 · 2023-07-25 17:54:26 +02:00 · 2023-07-25 17:54:26 +02:00 · 25d0330809
commit 25d0330809
parent fe4be19de4
1 changed files with 9 additions and 1 deletions
--- a/criu/pie/restorer.c
+++ b/criu/pie/restorer.c
@ -301,10 +301,18 @@ skip_xids:
 				/* already set */
 				continue;
 			ret = sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0);
-			if (ret) {
+			if (!ret)
+				continue;
+			if (!ce->has_no_new_privs || !ce->no_new_privs || args->cap_prm[b] & (1 << i)) {
 				pr_err("Unable to drop capability %d: %d\n", i + b * 32, ret);
 				return -1;
 			}
+			/*
+			 * If prctl(NO_NEW_PRIVS) is going to be set then it
+			 * will prevent inheriting the capabilities not in
+			 * the permitted set.
+			 */
+			pr_warn("Unable to drop capability %d from bset: %d (but NO_NEW_PRIVS will drop it)\n", i + b * 32, ret);
 		}
 	}