From: Robert Swiecki <robert@swiecki.net>
Date: Sun, 1 Oct 2017 03:38:26 +0000 (+0200)
Subject: caps: call prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL) early
X-Git-Tag: 1.9~44
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1bdd9843dfaadb6effdaebb1695f6a3e5ccf5b13;p=platform%2Fupstream%2Fnsjail.git

caps: call prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL) early
---

diff --git a/caps.c b/caps.c
index 466361a..ce5db23 100644
--- a/caps.c
+++ b/caps.c
@@ -224,8 +224,16 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
 	if (cap_data == NULL) {
 		return false;
 	}
+
 	/* Let's start with the empty inheritable set to avoid any mistakes */
 	capsClearInheritable(cap_data);
+	/*
+	 * Remove all capabilities from the ambient set first. It works with newer kernel version only,
+	 * so don't fail if it fails
+	 */
+	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
+		PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
+	}
 
 	if (nsjconf->keep_caps) {
 		return CapsInitNsKeepCaps(cap_data);
@@ -270,9 +278,6 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
 
 	/* Make sure inheritable set is preserved across execve via the modified ambient set */
 	dbgmsg[0] = '\0';
-	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
-		PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
-	}
 	TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
 		if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
 		    -1) {