From d6c09608cd6a1c29fa2befd1b9769350f3bdee50 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Fri, 5 Aug 2011 13:33:35 -0400
Subject: [PATCH] policycoreutils: sandbox: split seunshare caps dropping

Split drop_capabilities into drop_privs, which does the same thing, and
drop_caps, which only drops caps but doesn't affect the uid.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sandbox/seunshare.c | 33 +++++++++++++++++------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index eb72387e..e6e13037 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -45,21 +45,30 @@
 static int verbose = 0;
 
 /**
- * This function will drop all capabilities 
- * Returns zero on success, non-zero otherwise
+ * This function will drop all capabilities.
  */
-static int drop_capabilities(uid_t uid)
+static int drop_caps()
 {
+	if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+		return 0;
 	capng_clear(CAPNG_SELECT_BOTH);
-
-	if (capng_lock() < 0) 
-		return -1;
-	/* Change uid */
-	if (setresuid(uid, uid, uid)) {
-		fprintf(stderr, _("Error changing uid, aborting.\n"));
+	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+		fprintf(stderr, _("Failed to drop all capabilities\n"));
 		return -1;
 	}
-	return capng_apply(CAPNG_SELECT_BOTH);
+	return 0;
+}
+
+/**
+ * This function will drop all privileges.
+ */
+static int drop_privs(uid_t uid)
+{
+	if (drop_caps() == -1 || setresuid(uid, uid, uid) == -1) {
+		fprintf(stderr, _("Failed to drop privileges\n"));
+		return -1;
+	}
+	return 0;
 }
 
 /**
@@ -258,10 +267,8 @@ int main(int argc, char **argv) {
 				return -1;
 	}
 
-	if (drop_capabilities(uid)) {
-		perror(_("Failed to drop all capabilities"));
+	if (drop_privs(uid))
 		return -1;
-	}
 
 	int child = fork();
 	if (child == -1) {