Makefile: correct proto dep, plus some comments in caps.c

diff --git a/Makefile b/Makefile
index 95a8fabaf7540dbcf9aa4c9536f32f1027fa4430..798c8f44238b1216135c8e0226a64f0e19f585af 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -76,8 +76,9 @@ ifeq ("$(wildcard kafel/Makefile)","")
 endif
        $(MAKE) -C kafel
 
+# Sequence of proto deps, which doesn't fit automatic make rules
+config.o: $(SRCS_PB_O) $(SRCS_PB_H)
 $(SRCS_PB_O): $(SRCS_PB_CXX) $(SRCS_PB_H)
-
 $(SRCS_PB_CXX) $(SRCS_PB_H): $(SRCS_PROTO)
        protoc --cpp_out=. $(SRCS_PROTO)
 
@@ -88,7 +89,7 @@ ifneq ("$(wildcard kafel/Makefile)","")
 endif
 
 depend:
-       makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB)
+       makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB_CXX)
 
 indent:
        clang-format --style=WebKit -i -sort-includes *.c *.h $(SRCS_CXX)
@@ -113,4 +114,4 @@ user.o: user.h common.h log.h subproc.h util.h
 util.o: util.h common.h log.h
 uts.o: uts.h common.h log.h
 cpu.o: cpu.h common.h log.h util.h
-config.o: common.h caps.h config.h log.h mount.h user.h util.h config.pb.h
+config.o: common.h caps.h config.h log.h mount.h user.h util.h

diff --git a/caps.c b/caps.c
index 2c07c83ef9a9f1849d311661c47047a3e6dcc203..87d345a24db4eada552f10e1e6fb742ab257f782 100644 (file)
--- a/caps.c
+++ b/caps.c
@@ -174,6 +174,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
 {
        char dbgmsg[4096];
 
+       /* Copy all permitted caps to the inheritable set */
        dbgmsg[0] = '\0';
        for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
                if (capsGetPermitted(cap_data, capNames[i].val) == true) {
@@ -187,6 +188,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
                return false;
        }
 
+       /* Make sure the inheritable set is preserved across execve via the ambient set */
        dbgmsg[0] = '\0';
        for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
                if (capsGetPermitted(cap_data, capNames[i].val) == false) {
@@ -211,6 +213,7 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
        if (cap_data == NULL) {
                return false;
        }
+       /* Let's start with the empty inheritable set to avoid any mistakes */
        capsClearInheritable(cap_data);
 
        if (nsjconf->keep_caps) {
@@ -219,6 +222,8 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
 
        char dbgmsg[4096];
        dbgmsg[0] = '\0';
+
+       /* Set all requested caps in the inheritable set if these are present in the permitted set */
        struct ints_t *p;
        TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
                if (capsGetPermitted(cap_data, p->val) == false) {
@@ -234,6 +239,7 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
                return false;
        }
 
+       /* Make sure inheritable set is preserved across execve via the modified ambient set */
        dbgmsg[0] = '\0';
        TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
                if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
@@ -246,6 +252,10 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
        }
        LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
 
+       /*
+        * Make sure all other caps (those which were not explicitly requested) are removed from the
+        * bounding set
+        */
        dbgmsg[0] = '\0';
        for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
                if (capsGetInheritable(cap_data, capNames[i].val) == true) {