sanebox: improve the capsh stuff a bit more
This commit is contained in:
@@ -886,17 +886,29 @@ capshonlyIngestCapability() {
|
|||||||
# `capsh --caps=CAP_FOO=eip -- true` will fail if we don't have CAP_FOO,
|
# `capsh --caps=CAP_FOO=eip -- true` will fail if we don't have CAP_FOO,
|
||||||
# but for my use i'd still like to try running the command even if i can't grant it all capabilities.
|
# but for my use i'd still like to try running the command even if i can't grant it all capabilities.
|
||||||
# therefore, only grant it those capabilities i know will succeed.
|
# therefore, only grant it those capabilities i know will succeed.
|
||||||
|
locate _capsh "capsh" "$CAPSH_FALLBACK"
|
||||||
|
|
||||||
capsh "--has-p=cap_$1" 2>/dev/null
|
local hasP=
|
||||||
local hasP=$?
|
local hasI=
|
||||||
capsh "--has-i=cap_$1" 2>/dev/null
|
if "$_capsh" "--has-a=cap_$1" 2>/dev/null; then
|
||||||
local hasI=$?
|
# XXX: this ambient special case could probably be removed:
|
||||||
if [ "$hasP" = 0 ] || [ "$hasI" = 0 ]; then
|
# a capability can't be ambient without also being I and P, IIUC.
|
||||||
|
hasP=1
|
||||||
|
hasI=1
|
||||||
|
else
|
||||||
|
if "$_capsh" "--has-p=cap_$1" 2>/dev/null; then
|
||||||
|
hasP=1
|
||||||
|
fi
|
||||||
|
if "$_capsh" "--has-i=cap_$1" 2>/dev/null; then
|
||||||
|
hasI=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -n "$hasI" ] || [ -n "$hasP" ]; then
|
||||||
# hasP means "able to add to E or I set.
|
# hasP means "able to add to E or I set.
|
||||||
# so, if we have the cap in *either* P or I, then we can place it in I here.
|
# so, if we have the cap in *either* P or I, then we can place it in I here.
|
||||||
# only if we have it in P can we add it to P and E.
|
# only if we have it in P can we add it to P and E.
|
||||||
local ext=i
|
local ext=i
|
||||||
if [ "$hasP" = 0 ]; then
|
if [ -n "$hasP" ]; then
|
||||||
ext="e${ext}p"
|
ext="e${ext}p"
|
||||||
fi
|
fi
|
||||||
capshCapsArg="$capshCapsArg cap_$1+$ext"
|
capshCapsArg="$capshCapsArg cap_$1+$ext"
|
||||||
|
Reference in New Issue
Block a user