lib: Allow downgrade of all caps when none are specified

Staticd when run tells privs.c that it does not need any
priviledges.  The lib/privs.c code was not downgrading
any and all permissions it may have been given at startup.

Since we don't need any let's actually tell the system that
FRR does not need the capabilities anymore in the case
where a daemon does not ask for any cap's.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/lib/privs.c b/lib/privs.c
index c012178e71b0ad233857526085081897579087e5..5cba90839f7f0bb444270790b6f3005ce02b0f65 100644 (file)
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -286,9 +286,6 @@ static void zprivs_caps_init(struct zebra_privs_t *zprivs)
                }
        }
 
-       if (!zprivs_state.syscaps_p)
-               return;
-
        if (!(zprivs_state.caps = cap_init())) {
                fprintf(stderr, "privs_init: failed to cap_init, %s\n",
                        safe_strerror(errno));
@@ -301,10 +298,12 @@ static void zprivs_caps_init(struct zebra_privs_t *zprivs)
                exit(1);
        }
 
-       /* set permitted caps */
-       cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
-                    zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps,
-                    CAP_SET);
+       /* set permitted caps, if any */
+       if (zprivs_state.syscaps_p && zprivs_state.syscaps_p->num) {
+               cap_set_flag(zprivs_state.caps, CAP_PERMITTED,
+                            zprivs_state.syscaps_p->num,
+                            zprivs_state.syscaps_p->caps, CAP_SET);
+       }
 
        /* set inheritable caps, if any */
        if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) {
@@ -364,7 +363,7 @@ static void zprivs_caps_terminate(void)
        }
 
        /* free up private state */
-       if (zprivs_state.syscaps_p->num) {
+       if (zprivs_state.syscaps_p && zprivs_state.syscaps_p->num) {
                XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps);
                XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p);
        }