fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-04-22 02:20:41 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

selinux: when dropping capabilities only include AUDIT caps if we have them

Browse source 
When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.

This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.

This makes audit/selinux enabled D-Bus work in a Linux container.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Acked-by: Thiago Macieira <thiago@kde.org>
Acked-by: Colin Walters <walters@verbum.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This commit is contained in:
Lennart Poettering 2012-04-23 00:32:43 +02:00 committed by Simon McVittie
parent efd8209d05
commit 2cf320fc82
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
bus/selinux.c
View file

@ -1045,8 +1045,9 @@ _dbus_change_to_daemon_user (const char *user,
int rc;
capng_clear (CAPNG_SELECT_BOTH);
capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_AUDIT_WRITE);
if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_AUDIT_WRITE);
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
if (rc)
{