capabilities: make sure that CAP_SETPCAP is cleared
When we didn't require CAP_SETPCAP, make sure we drop it when we're
finished manipulating the bounding set.
Additionally, fixes the capability bit tests for caps larger than
32-bits. The compiler didn't know to warn about the potentially out-of-range
<<-operator usage.
BUG=chromium-os:38643
TEST=link build, security_Minijail0 passes, verified CAP_SETPCAP is missing:
`minijail0 -c 0 /bin/cat /proc/self/status | grep CapEff` is all zeros
`minijail0 -c 1 /bin/cat /proc/self/status | grep CapEff` is 1
Change-Id: I7c0722c3bc775164486ff9628fc0c2005ae9275d
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42670
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
1 file changed