projects / platform / upstream / nsjail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 341832d)
contain: capabilities
authorRobert Swiecki <robert@swiecki.net>
Sun, 12 Feb 2017 15:54:39 +0000 (16:54 +0100)
committerRobert Swiecki <robert@swiecki.net>
Sun, 12 Feb 2017 15:54:39 +0000 (16:54 +0100)
contain.c patch | blob | history

diff --git a/contain.c b/contain.c
index 8b55aeebc72be18b4367f28bb5c48b34b7fb7362..2d388ecaf03eb6a424f942656a2590d025450c51 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -114,8 +114,8 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf)
                         * wait for the first one which returns EINVAL
                         */
                        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0UL, 0UL, 0UL) == -1
-                           && errno == EINVAL) {
-                               break;
+                           && errno != EINVAL) {
+                               PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %lu)", i);
                        }
                }
 #endif                         /* defined(PR_CAP_AMBIENT) */
@@ -125,8 +125,8 @@ static bool containDropPrivs(struct nsjconf_t *nsjconf)
                         * Number of capabilities varies between kernels, so
                         * wait for the first one which returns EINVAL
                         */
-                       if (prctl(PR_CAPBSET_DROP, i, 0UL, 0UL, 0UL) == -1 && errno == EINVAL) {
-                               break;
+                       if (prctl(PR_CAPBSET_DROP, i, 0UL, 0UL, 0UL) == -1 && errno != EINVAL) {
+                               PLOG_W("prctl(PR_CAPBSET_DROP, %lu", i);
                        }
                }
                if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == -1) {
Domain: System / System Framework;