Don't call cap_get_proc(3) unconditionally.
cap_get_proc(3) uses the capget(2) system call. Don't call
cap_get_proc(3) if |flags.use_caps| is not set, to avoid
having the program call a capability-related syscall even
when capabilities are not being used.
Bug: 27366428
Change-Id: Ifb797bc5f1a43adf4f9fa2fff3ef7d6f4bd9c958
diff --git a/libminijail.c b/libminijail.c
index a38eb64..1d90aef 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1248,14 +1248,13 @@
void drop_caps(const struct minijail *j, unsigned int last_valid_cap)
{
+ if (!j->flags.use_caps)
+ return;
+
cap_t caps = cap_get_proc();
cap_value_t flag[1];
const uint64_t one = 1;
unsigned int i;
-
- if (!j->flags.use_caps)
- return;
-
if (!caps)
die("can't get process caps");
if (cap_clear_flag(caps, CAP_INHERITABLE))