search for: cap_ordinal

...turns -1 on failure. + */ +static int find_capability(const char *s) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(capabilities); i++) { + if (capabilities[i].cap_name + && strcasecmp(s, capabilities[i].cap_name) == 0) { + return i; + } + } + return -1; +} + +static void do_capset(int cap_ordinal) +{ + struct __user_cap_header_struct hdr; + struct __user_cap_data_struct caps[2]; + + /* Get the current capability mask */ + hdr.version = _LINUX_CAPABILITY_VERSION_3; + hdr.pid = getpid(); + if (capget(&hdr, caps)) { + perror("capget()"); + exit(1); + } + + /* Drop the bits */ +...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

...| 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/usr/kinit/capabilities.c b/usr/kinit/capabilities.c index eab4d93..c606144 100644 --- a/usr/kinit/capabilities.c +++ b/usr/kinit/capabilities.c @@ -167,6 +167,9 @@ static void do_usermodehelper_file(const char *filename, int cap_ordinal) hi32 &= ~(1 << (cap_ordinal - 32)); /* Commit the new bit masks to the kernel */ + ret = fseek(file, 0L, SEEK_SET); + if (ret != 0) + fail("Failed on file %s to seek %d\n", filename, ret); sprintf(buf, "%u %u", lo32, hi32); ret = fwrite(buf, 1, strlen(buf)...

...4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/kinit/capabilities.c b/usr/kinit/capabilities.c index c606144..2c61025 100644 --- a/usr/kinit/capabilities.c +++ b/usr/kinit/capabilities.c @@ -167,9 +167,9 @@ static void do_usermodehelper_file(const char *filename, int cap_ordinal) hi32 &= ~(1 << (cap_ordinal - 32)); /* Commit the new bit masks to the kernel */ - ret = fseek(file, 0L, SEEK_SET); + ret = fflush(file); if (ret != 0) - fail("Failed on file %s to seek %d\n", filename, ret); + fail("Failed on file %s to fflush %d\n", filen...

...- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/kinit/capabilities.c b/usr/kinit/capabilities.c index e743a70fec0f..4e0456ee7407 100644 --- a/usr/kinit/capabilities.c +++ b/usr/kinit/capabilities.c @@ -172,9 +172,9 @@ static void do_usermodehelper_file(const char *filename, int cap_ordinal) ret = fflush(file); if (ret != 0) fail("Failed on file %s to fflush %d\n", filename, ret); - sprintf(buf, "%u %u", lo32, hi32); - ret = fwrite(buf, 1, strlen(buf) + 1, file); - if (ret != 0) + sprintf(buf, "%u %u\n", lo32, hi32); + ret = fwrite(buf, 1, strlen(b...