Makefile: correct proto dep, plus some comments in caps.c
This commit is contained in:
Robert Swiecki
parent
7820553cb9
commit
8aafd1b41b
7
Makefile
7
Makefile
@ -76,8 +76,9 @@ ifeq ("$(wildcard kafel/Makefile)","")
|
|||||||
endif
|
endif
|
||||||
$(MAKE) -C kafel
|
$(MAKE) -C kafel
|
||||||
|
|
||||||
|
# Sequence of proto deps, which doesn't fit automatic make rules
|
||||||
|
config.o: $(SRCS_PB_O) $(SRCS_PB_H)
|
||||||
$(SRCS_PB_O): $(SRCS_PB_CXX) $(SRCS_PB_H)
|
$(SRCS_PB_O): $(SRCS_PB_CXX) $(SRCS_PB_H)
|
||||||
|
|
||||||
$(SRCS_PB_CXX) $(SRCS_PB_H): $(SRCS_PROTO)
|
$(SRCS_PB_CXX) $(SRCS_PB_H): $(SRCS_PROTO)
|
||||||
protoc --cpp_out=. $(SRCS_PROTO)
|
protoc --cpp_out=. $(SRCS_PROTO)
|
||||||
|
|
||||||
@ -88,7 +89,7 @@ ifneq ("$(wildcard kafel/Makefile)","")
|
|||||||
endif
|
endif
|
||||||
|
|
||||||
depend:
|
depend:
|
||||||
makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB)
|
makedepend -Y -Ykafel/include -- -- $(SRCS_C) $(SRCS_CXX) $(SRCS_PB_CXX)
|
||||||
|
|
||||||
indent:
|
indent:
|
||||||
clang-format --style=WebKit -i -sort-includes *.c *.h $(SRCS_CXX)
|
clang-format --style=WebKit -i -sort-includes *.c *.h $(SRCS_CXX)
|
||||||
@ -113,4 +114,4 @@ user.o: user.h common.h log.h subproc.h util.h
|
|||||||
util.o: util.h common.h log.h
|
util.o: util.h common.h log.h
|
||||||
uts.o: uts.h common.h log.h
|
uts.o: uts.h common.h log.h
|
||||||
cpu.o: cpu.h common.h log.h util.h
|
cpu.o: cpu.h common.h log.h util.h
|
||||||
config.o: common.h caps.h config.h log.h mount.h user.h util.h config.pb.h
|
config.o: common.h caps.h config.h log.h mount.h user.h util.h
|
||||||
|
|||||||
10
caps.c
10
caps.c
@ -174,6 +174,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
|
|||||||
{
|
{
|
||||||
char dbgmsg[4096];
|
char dbgmsg[4096];
|
||||||
|
|
||||||
|
/* Copy all permitted caps to the inheritable set */
|
||||||
dbgmsg[0] = '\0';
|
dbgmsg[0] = '\0';
|
||||||
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
||||||
if (capsGetPermitted(cap_data, capNames[i].val) == true) {
|
if (capsGetPermitted(cap_data, capNames[i].val) == true) {
|
||||||
@ -187,6 +188,7 @@ static bool CapsInitNsKeepCaps(cap_user_data_t cap_data)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Make sure the inheritable set is preserved across execve via the ambient set */
|
||||||
dbgmsg[0] = '\0';
|
dbgmsg[0] = '\0';
|
||||||
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
||||||
if (capsGetPermitted(cap_data, capNames[i].val) == false) {
|
if (capsGetPermitted(cap_data, capNames[i].val) == false) {
|
||||||
@ -211,6 +213,7 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
|||||||
if (cap_data == NULL) {
|
if (cap_data == NULL) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
/* Let's start with the empty inheritable set to avoid any mistakes */
|
||||||
capsClearInheritable(cap_data);
|
capsClearInheritable(cap_data);
|
||||||
|
|
||||||
if (nsjconf->keep_caps) {
|
if (nsjconf->keep_caps) {
|
||||||
@ -219,6 +222,8 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
|||||||
|
|
||||||
char dbgmsg[4096];
|
char dbgmsg[4096];
|
||||||
dbgmsg[0] = '\0';
|
dbgmsg[0] = '\0';
|
||||||
|
|
||||||
|
/* Set all requested caps in the inheritable set if these are present in the permitted set */
|
||||||
struct ints_t *p;
|
struct ints_t *p;
|
||||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||||
if (capsGetPermitted(cap_data, p->val) == false) {
|
if (capsGetPermitted(cap_data, p->val) == false) {
|
||||||
@ -234,6 +239,7 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Make sure inheritable set is preserved across execve via the modified ambient set */
|
||||||
dbgmsg[0] = '\0';
|
dbgmsg[0] = '\0';
|
||||||
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
|
||||||
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
|
||||||
@ -246,6 +252,10 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
|
|||||||
}
|
}
|
||||||
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
|
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Make sure all other caps (those which were not explicitly requested) are removed from the
|
||||||
|
* bounding set
|
||||||
|
*/
|
||||||
dbgmsg[0] = '\0';
|
dbgmsg[0] = '\0';
|
||||||
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
for (size_t i = 0; i < ARRAYSIZE(capNames); i++) {
|
||||||
if (capsGetInheritable(cap_data, capNames[i].val) == true) {
|
if (capsGetInheritable(cap_data, capNames[i].val) == true) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user