Skip to content

Commit bfe085e

Browse files
authored
Update bubblewrap.c
check ambient capabilities before bailing
1 parent 9ca3b05 commit bfe085e

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

bubblewrap.c

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -742,13 +742,31 @@ drop_all_caps (bool keep_requested_caps)
742742
static bool
743743
has_caps (void)
744744
{
745+
unsigned long cap;
745746
struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 };
746747
struct __user_cap_data_struct data[2] = { { 0 } };
747748

748749
if (capget (&hdr, data) < 0)
749750
die_with_error ("capget failed");
750751

752+
#ifdef PR_CAP_AMBIENT
753+
for (cap = 0; cap <= CAP_LAST_CAP; cap++)
754+
{
755+
int is_permitted = (cap < 32) ? (CAP_TO_MASK_0 (cap) & data[0].permitted) : (CAP_TO_MASK_1 (cap) & data[1].permitted);
756+
757+
if (is_permitted)
758+
{
759+
int res = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, cap, 0, 0);
760+
if (res == -1 || !res) /* assume non-ambient if prctl fails */
761+
return 1;
762+
}
763+
}
764+
765+
/* all capabilities were ambient if we reached here */
766+
return 0;
767+
#else
751768
return data[0].permitted != 0 || data[1].permitted != 0;
769+
#endif
752770
}
753771

754772
/* Most of the code here is used both to add caps to the ambient capabilities

0 commit comments

Comments
 (0)