policycoreutils: newrole retain CAP_SETPCAP
We retain CAP_SETPCAP so that we can drop the additional capabilities we held onto to set up namespaces. While we are at it, just add some console whine in case things fail. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
802369fbe2
commit
e3ffa8c31f
|
@ -586,7 +586,7 @@ static int drop_capabilities(int full)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (! full)
|
if (! full)
|
||||||
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
|
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
|
||||||
return capng_apply(CAPNG_SELECT_BOTH);
|
return capng_apply(CAPNG_SELECT_BOTH);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1030,8 +1030,10 @@ int main(int argc, char *argv[])
|
||||||
* if it makes sense to continue to run newrole, and setting up
|
* if it makes sense to continue to run newrole, and setting up
|
||||||
* a scrubbed environment.
|
* a scrubbed environment.
|
||||||
*/
|
*/
|
||||||
if (drop_capabilities(FALSE))
|
if (drop_capabilities(FALSE)) {
|
||||||
|
perror(_("Sorry, newrole failed to drop capabilities\n"));
|
||||||
return -1;
|
return -1;
|
||||||
|
}
|
||||||
if (set_signal_handles())
|
if (set_signal_handles())
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue