From 664a235d8c014971eef4ef586b2116fc3e229662 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Sun, 27 Oct 2013 16:21:19 -0400 Subject: [PATCH] bus/selinux: Fix previous commit for CAP_AUDIT_WRITE retention As soon as capng_clear() is called, we won't appear to have CAP_AUDIT_WRITE. Fix this by checking for it before resetting the libcap state. (Not tested) https://bugs.freedesktop.org/show_bug.cgi?id=49062 --- bus/selinux.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/bus/selinux.c b/bus/selinux.c index 7ae84d6..768e55e 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -1043,9 +1043,15 @@ _dbus_change_to_daemon_user (const char *user, if (_dbus_geteuid () == 0) { int rc; + int have_audit_write; + have_audit_write = capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE); capng_clear (CAPNG_SELECT_BOTH); - if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE)) + /* Only attempt to retain CAP_AUDIT_WRITE if we had it when + * starting. See: + * https://bugs.freedesktop.org/show_bug.cgi?id=49062#c9 + */ + if (have_audit_write) capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); -- 1.7.1