caps: shorter debug messages
This commit is contained in:
parent
c9e95e7be2
commit
074582782c
2
Makefile
2
Makefile
@ -137,7 +137,7 @@ indent:
|
|||||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||||
|
|
||||||
nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
|
nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
|
||||||
caps.o: caps.h common.h log.h
|
caps.o: caps.h common.h log.h util.h
|
||||||
cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
|
cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
|
||||||
config.o: common.h caps.h config.h log.h mount.h user.h util.h
|
config.o: common.h caps.h config.h log.h mount.h user.h util.h
|
||||||
contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
|
contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
|
||||||
|
21
caps.c
21
caps.c
@ -28,6 +28,7 @@
|
|||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
|
#include "util.h"
|
||||||
|
|
||||||
#define VALSTR_STRUCT(x) { x, #x }
|
#define VALSTR_STRUCT(x) { x, #x }
|
||||||
|
|
||||||
@ -148,12 +149,14 @@ bool capsInitNs(struct nsjconf_t *nsjconf)
|
|||||||
cap_t cap_orig = capsGet();
|
cap_t cap_orig = capsGet();
|
||||||
cap_t cap_new = capsGet();
|
cap_t cap_new = capsGet();
|
||||||
|
|
||||||
|
char dbgmsg[4096];
|
||||||
|
dbgmsg[0] = '\0';
|
||||||
|
|
||||||
if (nsjconf->keep_caps) {
|
if (nsjconf->keep_caps) {
|
||||||
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
||||||
cap_flag_value_t v = capsGetCap(cap_orig, capNames[i].val, CAP_PERMITTED);
|
cap_flag_value_t v = capsGetCap(cap_orig, capNames[i].val, CAP_PERMITTED);
|
||||||
if (v == CAP_SET) {
|
if (v == CAP_SET) {
|
||||||
LOG_D("Adding '%s' capability to the inheritable set",
|
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
|
||||||
capNames[i].name);
|
|
||||||
}
|
}
|
||||||
capsSetCap(cap_new, capNames[i].val, CAP_INHERITABLE, v);
|
capsSetCap(cap_new, capNames[i].val, CAP_INHERITABLE, v);
|
||||||
}
|
}
|
||||||
@ -168,12 +171,14 @@ bool capsInitNs(struct nsjconf_t *nsjconf)
|
|||||||
capsFree(cap_new);
|
capsFree(cap_new);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
LOG_D("Adding '%s' capability to the inheritable set",
|
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
|
||||||
capsValToStr(p->val));
|
|
||||||
capsSetCap(cap_new, p->val, CAP_INHERITABLE, CAP_SET);
|
capsSetCap(cap_new, p->val, CAP_INHERITABLE, CAP_SET);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg);
|
||||||
|
dbgmsg[0] = '\0';
|
||||||
|
|
||||||
if (cap_set_proc(cap_new) == -1) {
|
if (cap_set_proc(cap_new) == -1) {
|
||||||
capsFree(cap_orig);
|
capsFree(cap_orig);
|
||||||
capsFree(cap_new);
|
capsFree(cap_new);
|
||||||
@ -188,27 +193,31 @@ bool capsInitNs(struct nsjconf_t *nsjconf)
|
|||||||
if (capsGetCap(cap_orig, capNames[i].val, CAP_PERMITTED) != CAP_SET) {
|
if (capsGetCap(cap_orig, capNames[i].val, CAP_PERMITTED) != CAP_SET) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
LOG_D("Adding '%s' capability to the ambient set", capNames[i].name);
|
|
||||||
if (prctl
|
if (prctl
|
||||||
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)capNames[i].val,
|
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)capNames[i].val,
|
||||||
0UL, 0UL) == -1) {
|
0UL, 0UL) == -1) {
|
||||||
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
||||||
capNames[i].name);
|
capNames[i].name);
|
||||||
|
} else {
|
||||||
|
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capNames[i].name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
struct ints_t *p;
|
struct ints_t *p;
|
||||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||||
LOG_D("Adding '%s' capability to the ambient set", capsValToStr(p->val));
|
|
||||||
if (prctl
|
if (prctl
|
||||||
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL,
|
(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL,
|
||||||
0UL) == -1) {
|
0UL) == -1) {
|
||||||
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
||||||
capsValToStr(p->val));
|
capsValToStr(p->val));
|
||||||
|
} else {
|
||||||
|
utilSSnPrintf(dbgmsg, sizeof(dbgmsg), " %s", capsValToStr(p->val));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
|
||||||
|
|
||||||
capsFree(cap_orig);
|
capsFree(cap_orig);
|
||||||
capsFree(cap_new);
|
capsFree(cap_new);
|
||||||
return true;
|
return true;
|
||||||
|
Loading…
Reference in New Issue
Block a user