Google Git
Sign in
gfiber / vendor / google / minijail / 323878a2faabdd6a34327718120bb410bbf8edd2
commit323878a2faabdd6a34327718120bb410bbf8edd2[log] [tgz]
authorKees Cook <keescook@chromium.org>Tue Feb 05 15:35:24 2013 -0800
committerChromeBot <chrome-bot@google.com>Wed Feb 06 12:17:01 2013 -0800
tree4079dac9e266db94efcdaaca84e652b6a4c5f8d6
parentb0cea4351663665afc37c23b4b95fe18956f9b9a [diff]
capabilities: make sure that CAP_SETPCAP is cleared

When we didn't require CAP_SETPCAP, make sure we drop it when we're
finished manipulating the bounding set.

Additionally, fixes the capability bit tests for caps larger than
32-bits. The compiler didn't know to warn about the potentially out-of-range
<<-operator usage.

BUG=chromium-os:38643
TEST=link build, security_Minijail0 passes, verified CAP_SETPCAP is missing:
 `minijail0 -c 0 /bin/cat /proc/self/status | grep CapEff` is all zeros
 `minijail0 -c 1 /bin/cat /proc/self/status | grep CapEff` is 1

Change-Id: I7c0722c3bc775164486ff9628fc0c2005ae9275d
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42670
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
1 file changed
tree: 4079dac9e266db94efcdaaca84e652b6a4c5f8d6
  1. test/
  2. bpf.c
  3. bpf.h
  4. gen_syscalls.sh
  5. inherit-review-settings-ok
  6. libminijail-private.h
  7. libminijail.c
  8. libminijail.h
  9. libminijail_unittest.c
  10. libminijailpreload.c
  11. libsyscalls.h
  12. LICENSE
  13. Makefile
  14. minijail0.1
  15. minijail0.5
  16. minijail0.c
  17. OWNERS
  18. signal.c
  19. signal.h
  20. syscall_filter.c
  21. syscall_filter.h
  22. syscall_filter_unittest.c
  23. test_harness.h
  24. util.c
  25. util.h
  26. WATCHLISTS