Remove caps from the bounding set

author Robert Swiecki <swiecki@google.com>

Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)

committer Robert Swiecki <swiecki@google.com>

Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)
author Robert Swiecki <swiecki@google.com>
Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)
committer Robert Swiecki <swiecki@google.com>
Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)
diff --git a/contain.c b/contain.c

index db157c51e99977bbfcc8451177e7873c6357e993..afa14b75dc9bd2805a069bae28eca1556e517087 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -84,6 +84,15 @@ bool containDropPrivs(struct nsjconf_t * nsjconf)
         }
  
         if (nsjconf->keep_caps == false) {
+               for (unsigned long i = 0; i < 128UL; i++) {
+                       /*
+                        * Number of capabilities differs between kernels, so
+                        * wait for the first one which returns EINVAL
+                        */
+                       if (prctl(PR_CAPBSET_DROP, i, 0UL, 0UL, 0UL) == -1 && errno == EINVAL) {
+                               break;
+                       }
+               }
                 if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == -1) {
                         PLOG_E("prctl(PR_SET_KEEPCAPS, 0)");
                         return false;
author	Robert Swiecki <swiecki@google.com>
	Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)
committer	Robert Swiecki <swiecki@google.com>
	Tue, 8 Mar 2016 14:10:21 +0000 (15:10 +0100)