Commit 98323725 authored by Colin Walters's avatar Colin Walters Committed by Simon McVittie

bus/selinux: Fix previous commit for CAP_AUDIT_WRITE retention

As soon as capng_clear() is called, we won't appear to have
CAP_AUDIT_WRITE.  Fix this by checking for it before resetting the
libcap state.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062Tested-by: default avatarLaurent Bigonville <bigon@debian.org>
Reviewed-by: default avatarLaurent Bigonville <bigon@debian.org>
Reviewed-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Lennart Poettering's avatarLennart Poettering <lennart@poettering.net>
parent 6b3a169b
......@@ -1043,9 +1043,15 @@ _dbus_change_to_daemon_user (const char *user,
if (_dbus_geteuid () == 0)
{
int rc;
int have_audit_write;
have_audit_write = capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE);
capng_clear (CAPNG_SELECT_BOTH);
if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
/* Only attempt to retain CAP_AUDIT_WRITE if we had it when
* starting. See:
* https://bugs.freedesktop.org/show_bug.cgi?id=49062#c9
*/
if (have_audit_write)
capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_AUDIT_WRITE);
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment