exec: properly apply capability bounding set, add inverted bounding sets

[elogind.git] / src / execute.c

diff --git a/src/execute.c b/src/execute.c
index ee05e994450de54375aec6229097790fdcc7d840..a467411f7dab13c238a8094f480240e4b8ad7cb9 100644 (file)
--- a/src/execute.c
+++ b/src/execute.c
@@ -55,6 +55,7 @@
 #include "exit-status.h"
 #include "missing.h"
 #include "utmp-wtmp.h"
+#include "def.h"
 
 /* This assumes there is a 'tty' group */
 #define TTY_MODE 0620
@@ -173,9 +174,9 @@ static int connect_logger_as(const ExecContext *context, ExecOutput output, cons
 
         zero(sa);
         sa.sa.sa_family = AF_UNIX;
-        strncpy(sa.un.sun_path+1, LOGGER_SOCKET, sizeof(sa.un.sun_path)-1);
+        strncpy(sa.un.sun_path, LOGGER_SOCKET, sizeof(sa.un.sun_path));
 
-        if (connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + 1 + sizeof(LOGGER_SOCKET) - 1) < 0) {
+        if (connect(fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + sizeof(LOGGER_SOCKET) - 1) < 0) {
                 close_nointr_nofail(fd);
                 return -errno;
         }
@@ -1248,6 +1249,15 @@ int exec_spawn(ExecCommand *command,
                                 }
                         }
 
+                        if (context->capability_bounding_set_drop)
+                                for (i = 0; i <= CAP_LAST_CAP; i++)
+                                        if (context->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i)) {
+                                                if (prctl(PR_CAPBSET_DROP, i) < 0) {
+                                                        r = EXIT_CAPABILITIES;
+                                                        goto fail_child;
+                                                }
+                                        }
+
                         if (context->user)
                                 if (enforce_user(context, uid) < 0) {
                                         r = EXIT_USER;
@@ -1663,15 +1673,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                         (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
 
         if (c->capability_bounding_set_drop) {
-                fprintf(f, "%sCapabilityBoundingSetDrop:", prefix);
+                fprintf(f, "%sCapabilityBoundingSet:", prefix);
 
                 for (i = 0; i <= CAP_LAST_CAP; i++)
-                        if (c->capability_bounding_set_drop & (1 << i)) {
+                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
                                 char *t;
 
                                 if ((t = cap_to_name(i))) {
                                         fprintf(f, " %s", t);
-                                        free(t);
+                                        cap_free(t);
                                 }
                         }