mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-22 09:58:09 +00:00
Code Issues Releases Wiki Activity

restore: Skip dropping BSET capability if irrelevant.

Browse Source 
prctl(NO_NEW_PRIVS) when set prevents child processes gaining
capabilities not in permitted set. In this case, inability to
clear capability from BSET that is not in the permitted set is
harmless.

Signed-off-by: Michał Mirosław <emmir@google.com>
This commit is contained in:
Michał Mirosław 2023-07-25 17:54:26 +02:00 committed by Andrei Vagin
parent fe4be19de4
commit 25d0330809
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
criu/pie/restorer.c
View File

@ -301,10 +301,18 @@ skip_xids:
/* already set */ /* already set */
continue; continue;
ret = sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0); ret = sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0);
if (ret) { if (!ret)
continue;
if (!ce->has_no_new_privs || !ce->no_new_privs || args->cap_prm[b] & (1 << i)) {
pr_err("Unable to drop capability %d: %d\n", i + b * 32, ret); pr_err("Unable to drop capability %d: %d\n", i + b * 32, ret);
return -1; return -1;
} }
/*
* If prctl(NO_NEW_PRIVS) is going to be set then it
* will prevent inheriting the capabilities not in
* the permitted set.
*/
pr_warn("Unable to drop capability %d from bset: %d (but NO_NEW_PRIVS will drop it)\n", i + b * 32, ret);
} }
} }