* [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given
@ 2020-12-16 21:44 Jonas Witschel
2020-12-16 22:41 ` Pavel Shilovsky
0 siblings, 1 reply; 2+ messages in thread
From: Jonas Witschel @ 2020-12-16 21:44 UTC (permalink / raw)
To: linux-cifs; +Cc: Alexander Koch, Jonas Witschel
From: Alexander Koch <mail@alexanderkoch.net>
Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
only if CAP_SETCAP is present.
This is an addendum to the patch recently provided in [1]. Without this
additional change, cifs.upcall can still fail while trying to mount a CIFS
network share with krb5:
kernel: CIFS: Attempting to mount //server.domain.lan/myshare
cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
cifs.upcall[39484]: ver=2
cifs.upcall[39484]: host=server.domain.lan
cifs.upcall[39484]: ip=172.22.3.14
cifs.upcall[39484]: sec=1
cifs.upcall[39484]: uid=1000
cifs.upcall[39484]: creduid=1000
cifs.upcall[39484]: user=username
cifs.upcall[39484]: pid=39481
cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
cifs.upcall[39484]: Exit status 1
[1] https://marc.info/?l=linux-cifs&m=160595758021261
Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
---
cifs.upcall.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 1559434..b62ab50 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -115,8 +115,13 @@ trim_capabilities(bool need_environ)
static int
drop_all_capabilities(void)
{
+ capng_select_t set = CAPNG_SELECT_CAPS;
+
capng_clear(CAPNG_SELECT_BOTH);
- if (capng_apply(CAPNG_SELECT_BOTH)) {
+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+ set = CAPNG_SELECT_BOTH;
+ }
+ if (capng_apply(set)) {
syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
return 1;
}
--
2.29.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given
2020-12-16 21:44 [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given Jonas Witschel
@ 2020-12-16 22:41 ` Pavel Shilovsky
0 siblings, 0 replies; 2+ messages in thread
From: Pavel Shilovsky @ 2020-12-16 22:41 UTC (permalink / raw)
To: Jonas Witschel; +Cc: linux-cifs, Alexander Koch
Merged. Thanks!
--
Best regards,
Pavel Shilovsky
ср, 16 дек. 2020 г. в 13:47, Jonas Witschel <diabonas@archlinux.org>:
>
> From: Alexander Koch <mail@alexanderkoch.net>
>
> Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
> only if CAP_SETCAP is present.
>
> This is an addendum to the patch recently provided in [1]. Without this
> additional change, cifs.upcall can still fail while trying to mount a CIFS
> network share with krb5:
>
> kernel: CIFS: Attempting to mount //server.domain.lan/myshare
> cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
> cifs.upcall[39484]: ver=2
> cifs.upcall[39484]: host=server.domain.lan
> cifs.upcall[39484]: ip=172.22.3.14
> cifs.upcall[39484]: sec=1
> cifs.upcall[39484]: uid=1000
> cifs.upcall[39484]: creduid=1000
> cifs.upcall[39484]: user=username
> cifs.upcall[39484]: pid=39481
> cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
> cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
> cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
> cifs.upcall[39484]: Exit status 1
>
> [1] https://marc.info/?l=linux-cifs&m=160595758021261
>
> Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
> Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
> ---
> cifs.upcall.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 1559434..b62ab50 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -115,8 +115,13 @@ trim_capabilities(bool need_environ)
> static int
> drop_all_capabilities(void)
> {
> + capng_select_t set = CAPNG_SELECT_CAPS;
> +
> capng_clear(CAPNG_SELECT_BOTH);
> - if (capng_apply(CAPNG_SELECT_BOTH)) {
> + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
> + set = CAPNG_SELECT_BOTH;
> + }
> + if (capng_apply(set)) {
> syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
> return 1;
> }
> --
> 2.29.2
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-16 22:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-16 21:44 [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP is given Jonas Witschel
2020-12-16 22:41 ` Pavel Shilovsky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).