From: Donald Sharp Date: Tue, 28 Jun 2022 14:26:52 +0000 (-0400) Subject: lib: Allow downgrade of all caps when none are specified X-Git-Tag: base_8.4~286^2 X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=88be4045c9e09d9b36952ed594e4bbc19633deba;p=matthieu%2Ffrr.git lib: Allow downgrade of all caps when none are specified Staticd when run tells privs.c that it does not need any priviledges. The lib/privs.c code was not downgrading any and all permissions it may have been given at startup. Since we don't need any let's actually tell the system that FRR does not need the capabilities anymore in the case where a daemon does not ask for any cap's. Signed-off-by: Donald Sharp --- diff --git a/lib/privs.c b/lib/privs.c index c012178e71..5cba90839f 100644 --- a/lib/privs.c +++ b/lib/privs.c @@ -286,9 +286,6 @@ static void zprivs_caps_init(struct zebra_privs_t *zprivs) } } - if (!zprivs_state.syscaps_p) - return; - if (!(zprivs_state.caps = cap_init())) { fprintf(stderr, "privs_init: failed to cap_init, %s\n", safe_strerror(errno)); @@ -301,10 +298,12 @@ static void zprivs_caps_init(struct zebra_privs_t *zprivs) exit(1); } - /* set permitted caps */ - cap_set_flag(zprivs_state.caps, CAP_PERMITTED, - zprivs_state.syscaps_p->num, zprivs_state.syscaps_p->caps, - CAP_SET); + /* set permitted caps, if any */ + if (zprivs_state.syscaps_p && zprivs_state.syscaps_p->num) { + cap_set_flag(zprivs_state.caps, CAP_PERMITTED, + zprivs_state.syscaps_p->num, + zprivs_state.syscaps_p->caps, CAP_SET); + } /* set inheritable caps, if any */ if (zprivs_state.syscaps_i && zprivs_state.syscaps_i->num) { @@ -364,7 +363,7 @@ static void zprivs_caps_terminate(void) } /* free up private state */ - if (zprivs_state.syscaps_p->num) { + if (zprivs_state.syscaps_p && zprivs_state.syscaps_p->num) { XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p->caps); XFREE(MTYPE_PRIVS, zprivs_state.syscaps_p); }