From ba301697f98c03d079f3e80f52d8d4addadb1fb1 Mon Sep 17 00:00:00 2001 From: Alexander Koch Date: Wed, 16 Dec 2020 18:02:31 +0100 Subject: [PATCH] cifs.upcall: drop capabilities only if CAP_SETPCAP is given Make drop_call_capabilities() in cifs.upcall update the capabilities only if CAP_SETCAP is present. This is an addendum to the patch recently provided in [1]. Without this additional change, cifs.upcall can still fail while trying to mount a CIFS network share with krb5: kernel: CIFS: Attempting to mount //server.domain.lan/myshare cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan> cifs.upcall[39484]: ver=2 cifs.upcall[39484]: host=server.domain.lan cifs.upcall[39484]: ip=172.22.3.14 cifs.upcall[39484]: sec=1 cifs.upcall[39484]: uid=1000 cifs.upcall[39484]: creduid=1000 cifs.upcall[39484]: user=username cifs.upcall[39484]: pid=39481 cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000 cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success cifs.upcall[39484]: Exit status 1 [1] https://marc.info/?l=linux-cifs&m=160595758021261 Signed-off-by: Alexander Koch --- cifs.upcall.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cifs.upcall.c b/cifs.upcall.c index af1a0b0..bc57c4d 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -121,10 +121,14 @@ static int drop_all_capabilities(void) { capng_clear(CAPNG_SELECT_BOTH); - if (capng_apply(CAPNG_SELECT_BOTH)) { - syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); - return 1; + + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { + if (capng_apply(CAPNG_SELECT_BOTH)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } } + return 0; } #else /* HAVE_LIBCAP_NG */ -- 2.29.2