int
main(int argc, char *argv[])
{
cap_t caps;
pid_t pid;
int r;
/* Create child; child commences execution in childFunc() */
printf("******* info of the parent process - start ********\n");
caps = cap_get_proc();
printf("Before unshare, the capabilities are:\n");
printf("capabilities: %s\n", cap_to_text(caps, NULL));
r = unshare(CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER );
if(r == -1) {
printf("unshare failed: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
caps = cap_get_proc();
printf("After unshare, the capabilities are:\n");
printf("capabilities: %s\n", cap_to_text(caps, NULL));
printf("the process pid is: %ld\n", (long)getpid());
r = execlp("sh", "sh", (char *)0);
if(r == -1) {
printf("execlp failed: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* run during request cleanup */
static apr_status_t ruid_suidback (void *data)
{
request_rec *r = data;
ruid_config_t *conf = ap_get_module_config (r->server->module_config, &ruid2_module);
core_server_config *core = (core_server_config *) ap_get_module_config(r->server->module_config, &core_module);
cap_t cap;
cap_value_t capval[3];
if (cap_mode == RUID_CAP_MODE_KEEP) {
cap=cap_get_proc();
capval[0]=CAP_SETUID;
capval[1]=CAP_SETGID;
capval[2]=CAP_SYS_CHROOT;
cap_set_flag(cap, CAP_EFFECTIVE, (conf->chroot_dir ? 3 : 2), capval, CAP_SET);
if (cap_set_proc(cap)!=0) {
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed before setuid", MODULE_NAME, __func__);
}
cap_free(cap);
setgroups(startup_groupsnr, startup_groups);
setgid(ap_unixd_config.group_id);
setuid(ap_unixd_config.user_id);
/* set httpd process dumpable after setuid */
if (coredump) {
prctl(PR_SET_DUMPABLE,1);
}
/* jail break */
if (conf->chroot_dir) {
if (fchdir(root_handle) < 0) {
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s failed to fchdir to root dir (%d) (%s)", MODULE_NAME, root_handle, strerror(errno));
} else {
if (chroot(".") != 0) {
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s jail break failed", MODULE_NAME);
}
}
core->ap_document_root = old_root;
}
cap=cap_get_proc();
capval[0]=CAP_SETUID;
capval[1]=CAP_SETGID;
capval[2]=CAP_SYS_CHROOT;
cap_set_flag(cap, CAP_EFFECTIVE, 3, capval, CAP_CLEAR);
if (cap_set_proc(cap)!=0) {
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed after setuid", MODULE_NAME, __func__);
}
cap_free(cap);
}
return DECLINED;
}
static int sysnet_get_permissions()
{
cap_t caps = cap_get_proc();
if (caps == NULL) {
perror("cap_get_proc()");
return errno;
}
cap_value_t cap_list = CAP_NET_ADMIN;
int error = 0;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_list, CAP_SET) == -1) {
error = errno;
perror("cap_set_flags(CAP_NET_ADMIN)");
}
if (cap_set_proc(caps) == -1) {
error = errno;
perror("cap_set_proc(CAP_NET_ADMIN)");
}
if (cap_free(caps) == -1) {
error = errno;
perror("cap_free()");
}
return error;
}
static int
bin_cap(char *nam, char **argv, UNUSED(Options ops), UNUSED(int func))
{
int ret = 0;
cap_t caps;
if(*argv) {
unmetafy(*argv, NULL);
caps = cap_from_text(*argv);
if(!caps) {
zwarnnam(nam, "invalid capability string");
return 1;
}
if(cap_set_proc(caps)) {
zwarnnam(nam, "can't change capabilities: %e", errno);
ret = 1;
}
} else {
char *result = NULL;
ssize_t length;
caps = cap_get_proc();
if(caps)
result = cap_to_text(caps, &length);
if(!caps || !result) {
zwarnnam(nam, "can't get capabilities: %e", errno);
ret = 1;
} else
puts(result);
}
cap_free(caps);
return ret;
}
int modify_capability(cap_value_t cap, cap_flag_value_t on)
{
cap_t cap_p = cap_get_proc();
cap_flag_value_t cap_ok;
int rc = -1;
if (!cap_p) {
perror("ping: cap_get_proc");
goto out;
}
cap_ok = CAP_CLEAR;
cap_get_flag(cap_p, cap, CAP_PERMITTED, &cap_ok);
if (cap_ok == CAP_CLEAR) {
rc = on ? -1 : 0;
goto out;
}
cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap, on);
if (cap_set_proc(cap_p) < 0) {
perror("ping: cap_set_proc");
goto out;
}
cap_free(cap_p);
rc = 0;
out:
if (cap_p)
cap_free(cap_p);
return rc;
}
int main(int argc, char *argv[])
{
#ifdef HAVE_LIBCAP
cap_t cap = cap_get_proc();
int fd;
int seqno = 0;
char buf[2000];
if (argc > 1)
seqno = atoi(argv[1]);
if (!cap) {
perror("print_caps - cap_get_proc");
exit(1);
}
fd = open(FIFOFILE, O_WRONLY);
if (!fd) {
perror("print_caps: open fifo");
exit(2);
}
snprintf(buf, 2000, "%d.%s", seqno, cap_to_text(cap, NULL));
write(fd, buf, strlen(buf)+1);
close(fd);
cap_free(cap);
#endif
return 0;
}
static capa_status cap_check(cap_value_t capa, user_interaction & ui, bool verbose, const std::string & capa_name)
{
capa_status ret = capa_unknown;
cap_t capaset = cap_get_proc();
cap_flag_value_t val;
try
{
if(cap_get_flag(capaset, capa, CAP_EFFECTIVE, &val) == 0)
ret = (val == CAP_SET) ? capa_set : capa_clear;
else
{
ret = capa_unknown;
if(verbose)
{
string tmp = strerror(errno);
ui.printf(gettext("Error met while checking for capability %S: %S"), &capa_name, &tmp);
}
}
}
catch(...) // well a try/catch may seems useless here, but it does not hurt ... :-)
{
cap_free(capaset);
throw;
}
cap_free(capaset);
return ret;
}
int lxc_caps_down(void)
{
cap_t caps;
int ret;
/* when we are run as root, we don't want to play
* with the capabilities */
if (!getuid())
return 0;
caps = cap_get_proc();
if (!caps) {
ERROR("failed to cap_get_proc: %m");
return -1;
}
ret = cap_clear_flag(caps, CAP_EFFECTIVE);
if (ret) {
ERROR("failed to cap_clear_flag: %m");
goto out;
}
ret = cap_set_proc(caps);
if (ret) {
ERROR("failed to cap_set_proc: %m");
goto out;
}
out:
cap_free(caps);
return 0;
}
void debug_print_caps(char *when)
{
char buf[2000];
tst_resm(TINFO, "%s", when);
snprintf(buf, 2000, "%s", cap_to_text(cap_get_proc(), NULL));
tst_resm(TINFO, "%s", buf);
}
/*
* check if we have the caps needed to start a container. returns 1 on
* success, 0 on error. (I'd prefer this be a bool, but am afraid that
* might fail to build on some distros).
*/
int lxc_caps_check(void)
{
uid_t uid = getuid();
cap_t caps;
cap_flag_value_t value;
int i, ret;
cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
if (!uid)
return 1;
caps = cap_get_proc();
if (!caps) {
ERROR("failed to cap_get_proc: %m");
return 0;
}
for (i=0; i<NUMCAPS; i++) {
ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
if (ret) {
ERROR("Failed to cap_get_flag: %m");
return 0;
}
if (!value) {
return 0;
}
}
return 1;
}
int
modify_cap (int capability, int setting)
{
cap_t caps;
cap_value_t capList[1];
caps = cap_get_proc ();
if (caps == NULL)
return -1;
capList[0] = capability;
if (cap_set_flag (caps, CAP_EFFECTIVE, 1, capList, setting) == -1) {
cap_free (caps);
return -1;
}
if (cap_set_proc (caps) == -1) {
cap_free (caps);
return -1;
}
if (cap_free (caps) == -1)
return -1;
return 0;
}
int modify_capability(cap_value_t cap, cap_flag_value_t on)
{
cap_t cap_p = cap_get_proc();
if (!cap_p) {
perror("cap_get_proc");
return -1;
}
if (cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap, on) < 0) {
perror("cap_set_flag");
return -1;
}
if (cap_set_proc(cap_p) < 0) {
perror("cap_set_proc");
return -1;
}
if (cap_free(cap_p) < 0) {
perror("cap_free");
return -1;
}
return 0;
}
/**************************************************************************
Try and abstract process capabilities (for systems that have them).
****************************************************************************/
static BOOL set_process_capability( uint32 cap_flag, BOOL enable )
{
if(cap_flag == KERNEL_OPLOCK_CAPABILITY) {
cap_t cap = cap_get_proc();
if (cap == NULL) {
DEBUG(0,("set_process_capability: cap_get_proc failed. Error was %s\n",
strerror(errno)));
return False;
}
if(enable)
cap->cap_effective |= CAP_NETWORK_MGT;
else
cap->cap_effective &= ~CAP_NETWORK_MGT;
if (cap_set_proc(cap) == -1) {
DEBUG(0,("set_process_capability: cap_set_proc failed. Error was %s\n",
strerror(errno)));
cap_free(cap);
return False;
}
cap_free(cap);
DEBUG(10,("set_process_capability: Set KERNEL_OPLOCK_CAPABILITY.\n"));
}
return True;
}
static bool set_inherited_process_capability( uint32_t cap_flag, bool enable )
{
if(cap_flag == KERNEL_OPLOCK_CAPABILITY) {
cap_t cap = cap_get_proc();
if (cap == NULL) {
DEBUG(0,("set_inherited_process_capability: cap_get_proc failed. Error was %s\n",
strerror(errno)));
return false;
}
if(enable)
cap->cap_inheritable |= CAP_NETWORK_MGT;
else
cap->cap_inheritable &= ~CAP_NETWORK_MGT;
if (cap_set_proc(cap) == -1) {
DEBUG(0,("set_inherited_process_capability: cap_set_proc failed. Error was %s\n",
strerror(errno)));
cap_free(cap);
return false;
}
cap_free(cap);
DEBUG(10,("set_inherited_process_capability: Set KERNEL_OPLOCK_CAPABILITY.\n"));
}
return true;
}
/* run in map_to_storage hook */
static int ruid_uiiii (request_rec *r)
{
if (!ap_is_initial_req(r)) {
return DECLINED;
}
int retval = ruid_set_perm(r, __func__);
int ncap;
cap_t cap;
cap_value_t capval[4];
/* clear capabilities from permitted set (permanent) */
if (cap_mode == RUID_CAP_MODE_DROP) {
cap=cap_get_proc();
capval[0]=CAP_SETUID;
capval[1]=CAP_SETGID;
capval[2]=CAP_DAC_READ_SEARCH;
ncap = 2;
if (root_handle == UNSET) capval[ncap++] = CAP_SYS_CHROOT;
cap_set_flag(cap,CAP_PERMITTED,ncap,capval,CAP_CLEAR);
if (cap_set_proc(cap)!=0) {
ap_log_error (APLOG_MARK, APLOG_ERR, 0, NULL, "%s CRITICAL ERROR %s:cap_set_proc failed after setuid", MODULE_NAME, __func__);
retval = HTTP_FORBIDDEN;
}
cap_free(cap);
}
return retval;
}
/**
* g_process_cap_save:
*
* Save the set of current capabilities and return it. The caller might
* restore the saved set of capabilities by using cap_restore().
*
* Returns: the current set of capabilities
**/
cap_t
g_process_cap_save(void)
{
if (!process_opts.caps)
return NULL;
return cap_get_proc();
}
void print_my_caps()
{
cap_t cap = cap_get_proc();
char *txt = cap_to_text(cap, NULL);
tst_resm(TINFO, "\ncaps are %s\n", txt);
cap_free(cap);
cap_free(txt);
}
/**
* g_process_cap_save:
*
* Save the set of current capabilities and return it. The caller might
* restore the saved set of capabilities by using cap_restore().
*
* Returns: the current set of capabilities
**/
cap_t
g_process_cap_save(void)
{
if (!g_process_is_cap_enabled())
return NULL;
return cap_get_proc();
}
static void lower_my_caps(void)
{
struct __user_cap_header_struct caphdr = {
.version = _LINUX_CAPABILITY_VERSION
};
cap_user_data_t capdata;
ssize_t capstrlen = 0;
cap_t my_cap;
char *cap_text;
int capsz;
(void) capget(&caphdr, NULL);
switch (caphdr.version) {
case _LINUX_CAPABILITY_VERSION_1:
capsz = _LINUX_CAPABILITY_U32S_1;
break;
case _LINUX_CAPABILITY_VERSION_2:
capsz = _LINUX_CAPABILITY_U32S_2;
break;
default:
abort(); /* can't happen */
}
capdata = gsh_calloc(capsz, sizeof(struct __user_cap_data_struct));
caphdr.pid = getpid();
if (capget(&caphdr, capdata) != 0)
LogFatal(COMPONENT_INIT,
"Failed to query capabilities for process, errno=%u",
errno);
/* Set the capability bitmask to remove CAP_SYS_RESOURCE */
if (capdata->effective & CAP_TO_MASK(CAP_SYS_RESOURCE))
capdata->effective &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);
if (capdata->permitted & CAP_TO_MASK(CAP_SYS_RESOURCE))
capdata->permitted &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);
if (capdata->inheritable & CAP_TO_MASK(CAP_SYS_RESOURCE))
capdata->inheritable &= ~CAP_TO_MASK(CAP_SYS_RESOURCE);
if (capset(&caphdr, capdata) != 0)
LogFatal(COMPONENT_INIT,
"Failed to set capabilities for process, errno=%u",
errno);
else
LogEvent(COMPONENT_INIT,
"CAP_SYS_RESOURCE was successfully removed for proper quota management in FSAL");
/* Print newly set capabilities (same as what CLI "getpcaps" displays */
my_cap = cap_get_proc();
cap_text = cap_to_text(my_cap, &capstrlen);
LogEvent(COMPONENT_INIT, "currenty set capabilities are: %s",
cap_text);
cap_free(cap_text);
cap_free(my_cap);
gsh_free(capdata);
}
void drop_caps(const struct minijail *j)
{
cap_t caps = cap_get_proc();
cap_value_t flag[1];
const uint64_t one = 1;
unsigned int i;
if (!caps)
die("can't get process caps");
if (cap_clear_flag(caps, CAP_INHERITABLE))
die("can't clear inheritable caps");
if (cap_clear_flag(caps, CAP_EFFECTIVE))
die("can't clear effective caps");
if (cap_clear_flag(caps, CAP_PERMITTED))
die("can't clear permitted caps");
for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) {
/* Keep CAP_SETPCAP for dropping bounding set bits. */
if (i != CAP_SETPCAP && !(j->caps & (one << i)))
continue;
flag[0] = i;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_SET))
die("can't add effective cap");
if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_SET))
die("can't add permitted cap");
if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_SET))
die("can't add inheritable cap");
}
if (cap_set_proc(caps))
die("can't apply initial cleaned capset");
/*
* Instead of dropping bounding set first, do it here in case
* the caller had a more permissive bounding set which could
* have been used above to raise a capability that wasn't already
* present. This requires CAP_SETPCAP, so we raised/kept it above.
*/
for (i = 0; i < sizeof(j->caps) * 8 && run_cap_valid(i); ++i) {
if (j->caps & (one << i))
continue;
if (prctl(PR_CAPBSET_DROP, i))
pdie("prctl(PR_CAPBSET_DROP)");
}
/* If CAP_SETPCAP wasn't specifically requested, now we remove it. */
if ((j->caps & (one << CAP_SETPCAP)) == 0) {
flag[0] = CAP_SETPCAP;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, flag, CAP_CLEAR))
die("can't clear effective cap");
if (cap_set_flag(caps, CAP_PERMITTED, 1, flag, CAP_CLEAR))
die("can't clear permitted cap");
if (cap_set_flag(caps, CAP_INHERITABLE, 1, flag, CAP_CLEAR))
die("can't clear inheritable cap");
}
if (cap_set_proc(caps))
die("can't apply final cleaned capset");
cap_free(caps);
}
int
main(int argc, char **argv)
{
cap_t cap;
cap_flag_value_t effective, permitted;
char bindf[PATH_MAX - 1];
int rv;
if (argc != 3)
usage();
cap = cap_get_proc();
if (cap == NULL) {
fprintf(stderr, "cap_get_proc() returned %s!\n",
strerror(errno));
exit(EXIT_FAILURE);
}
cap_get_flag(cap, CAP_SYS_ADMIN, CAP_EFFECTIVE, &effective);
cap_get_flag(cap, CAP_SYS_ADMIN, CAP_PERMITTED, &permitted);
if ((effective != CAP_SET) && (permitted != CAP_SET)) {
fprintf(stderr, "E: missing 'cap_sys_admin' capability!\n"
"Please set it with: setcap cap_sys_admin=ep %s'\n",
argv[0]);
cap_free(cap);
exit(EXIT_FAILURE);
}
cap_free(cap);
/* Check that status file exists in masterdir */
rv = snprintf(bindf, sizeof(bindf), "%s/.%s_mount_bind_done",
argv[1], argv[2]);
if (rv < 0 || rv >= sizeof(bindf))
exit(EXIT_FAILURE);
if (access(bindf, R_OK) == -1) {
fprintf(stderr, "E: cannot umount %s/%s, missing "
"status file\n", argv[1], argv[2]);
exit(EXIT_FAILURE);
}
/* Security check passed, continue mounting */
rv = snprintf(bindf, sizeof(bindf), "%s/%s", argv[1], argv[2]);
if (rv < 0 || rv >= sizeof(bindf))
exit(EXIT_FAILURE);
if ((rv = umount(bindf)) != 0) {
fprintf(stderr, "E: cannot umount %s: %s\n", argv[1],
strerror(errno));
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* n.b. yes I know I should be using libcap!! */
int retval;
struct __user_cap_header_struct cap_head;
struct __user_cap_data_struct cap_data;
__u32 cap_mask = 0;
if (!caps)
{
bug("asked to adopt no capabilities");
}
vsf_sysutil_memclr(&cap_head, sizeof(cap_head));
vsf_sysutil_memclr(&cap_data, sizeof(cap_data));
cap_head.version = _LINUX_CAPABILITY_VERSION;
cap_head.pid = 0;
if (caps & kCapabilityCAP_CHOWN)
{
cap_mask |= (1 << CAP_CHOWN);
}
if (caps & kCapabilityCAP_NET_BIND_SERVICE)
{
cap_mask |= (1 << CAP_NET_BIND_SERVICE);
}
cap_data.effective = cap_data.permitted = cap_mask;
cap_data.inheritable = 0;
retval = capset(&cap_head, &cap_data);
if (retval != 0)
{
die("capset");
}
}
#else /* VSF_SYSDEP_HAVE_LIBCAP */
static int
do_checkcap(void)
{
cap_t current_caps = cap_get_proc();
cap_free(current_caps);
if (current_caps != NULL)
{
return 1;
}
return 0;
}
static void
display_creds_and_caps(char *msg)
{
cap_t caps;
printf("%seUID = %ld; eGID = %ld; ", msg,
(long) geteuid(), (long) getegid());
caps = cap_get_proc();
printf("capabilities: %s\n", cap_to_text(caps, NULL));
}
static int am_privileged(void)
{
int am_privileged = 1;
cap_t cap = cap_get_proc();
if (eff_caps_empty(cap))
am_privileged = 0;
cap_free(cap);
return am_privileged;
}
void *chg_uid_gid(void *arg)
{
cap_t newcaps;
cap_t mycaps;
int ret;
test_msg("Aux thread runs as UID: %d; GID: %d\n", getuid(), getgid());
newcaps = cap_from_text("cap_setgid,cap_setuid=+eip");
if (!newcaps) {
pr_perror("Failed to get capability struct\n");
exit(1);
}
ret = cap_set_proc(newcaps);
if (ret) {
pr_perror("Failed to set capabilities for the process\n");
exit(1);
}
mycaps = cap_get_proc();
if (!mycaps) {
pr_perror("Failed to get child thread capabilities\n");
exit_group(2);
}
test_msg("Child capabilities: %s\n", cap_to_text(mycaps, NULL));
test_msg("Changing UID/GID in child thread to %d:%d\n", uid, gid);
ret = syscall(SYS_setresgid, gid, gid, gid);
if (ret >= 0) {
syscall(SYS_setresuid, uid, uid, uid);
} else if (ret < 0) {
pr_perror("Failed to change UID/GID\n");
exit_group(2);
}
gid = getgid();
uid = getuid();
test_msg("Now aux thread runs as UID: %d; GID: %d\n", uid, gid);
test_msg("Child thread is waiting for main thread's signal\n");
task_waiter_complete(&t, 1);
pthread_mutex_lock(&mutex);
while (!done) {
pthread_cond_wait(&cond, &mutex);
}
pthread_mutex_unlock(&mutex);
test_msg("Child thread returns\n");
return NULL;
}
static int have_capabilities(void) {
#ifdef HAVE_CAP_GET_PROC
cap_t caps = cap_get_proc();
if (caps) {
cap_flag_value_t value_p;
cap_get_flag(caps, CAP_SYS_CHROOT, CAP_EFFECTIVE,&value_p);
cap_free(caps);
return (value_p);
}
#endif /*HAVE_CAP_GET_PROC*/
return 0;
}
static int child_exec(void *stuff) {
cap_t caps;
printf("eUID=%ld; eGID=%ld; ", (long)geteuid(), (long)getegid());
caps = cap_get_proc();
printf("capabilities: %s\n", cap_to_text(caps, NULL));
struct clone_args *args = (struct clone_args *)stuff;
if (execvp(args->argv[0], args->argv) != 0) {
fprintf(stderr, "failed to execvp argments %d\n", strerror(errno));
exit(-1);
}
// We should never reach here!
exit(-1);
}
static void drop_cap_sys_admin(void)
{
cap_value_t cap_value[] = { CAP_SYS_ADMIN };
cap_t cap = cap_get_proc();
if (!cap)
tst_brk(TBROK | TERRNO, "cap_get_proc failed");
if (cap_set_flag(cap, CAP_EFFECTIVE, 1, cap_value, CAP_CLEAR))
tst_brk(TBROK | TERRNO, "cap_set_flag failed");
if (cap_set_proc(cap))
tst_brk(TBROK | TERRNO, "cap_set_proc failed");
}
int lxc_caps_up(void)
{
cap_t caps;
cap_value_t cap;
int ret;
/* when we are run as root, we don't want to play
* with the capabilities */
if (!getuid())
return 0;
caps = cap_get_proc();
if (!caps) {
ERROR("failed to cap_get_proc: %m");
return -1;
}
//设置程序能力
for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
cap_flag_value_t flag;
ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
if (ret) {
if (errno == EINVAL) {
INFO("Last supported cap was %d\n", cap-1);
break;
} else {
ERROR("failed to cap_get_flag: %m");
goto out;
}
}
ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
if (ret) {
ERROR("failed to cap_set_flag: %m");
goto out;
}
}
ret = cap_set_proc(caps);
if (ret) {
ERROR("failed to cap_set_proc: %m");
goto out;
}
out:
cap_free(caps);
return 0;
}
static void show_capabilities(void) {
cap_t caps;
char *text;
caps = cap_get_proc();
assert_se(caps);
text = cap_to_text(caps, NULL);
assert_se(text);
log_info("Capabilities:%s", text);
cap_free(caps);
cap_free(text);
}