util.o: util.h common.h log.h
uts.o: uts.h common.h log.h
cpu.o: cpu.h common.h log.h util.h
-config.o: common.h caps.h config.h log.h mount.h user.h util.h
+config.o: common.h caps.h config.h log.h mount.h user.h util.h config.pb.h
+config.pb.o: config.pb.h
return false;
}
- /* Let's start with the empty inheritable set to avoid any mistakes */
+ /* Let's start with an empty inheritable set to avoid any mistakes */
capsClearInheritable(cap_data);
/*
- * Remove all capabilities from the ambient set first. It works with newer kernel version only,
- * so don't fail if it fails
+ * Remove all capabilities from the ambient set first. It works with newer kernel versions
+ * only, so don't panic() if it fails
*/
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
/*
* Make sure all other caps (those which were not explicitly requested) are removed from the
- * bounding set
+ * bounding set. We need to have CAP_SETPCAP to do that now
*/
if (capsGetEffective(cap_data, CAP_SETPCAP) == true) {
dbgmsg[0] = '\0';
#include "common.h"
-bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_err);
+bool containSetupFD(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err);
bool containContain(struct nsjconf_t *nsjconf);
#endif /* NS_CONTAIN_H */
projects / platform / upstream / nsjail.git / commitdiff