helper: Use 64bit capset/capget versions

This fixed kernel warnings about 32bit capabilities APIs on some distros.
allanday · Mar 30, 2016 · 33e09be · 33e09be
1 parent ef09d6f
commit 33e09be
Showing 1 changed file with 29 additions and 18 deletions.
diff --git a/common/xdg-app-helper.c b/common/xdg-app-helper.c
@@ -1948,22 +1948,27 @@ do_init (int event_fd, pid_t initial_pid)
   return initial_exit_status;
 }
 
-#define REQUIRED_CAPS (CAP_TO_MASK(CAP_SYS_ADMIN))
+/* low 32bit caps needed */
+#define REQUIRED_CAPS_0 (CAP_TO_MASK(CAP_SYS_ADMIN))
+/* high 32bit caps needed */
+#define REQUIRED_CAPS_1 0
 
 static void
 acquire_caps (void)
 {
   struct __user_cap_header_struct hdr;
-  struct __user_cap_data_struct data;
+  struct __user_cap_data_struct data[2];
 
   memset (&hdr, 0, sizeof(hdr));
-  hdr.version = _LINUX_CAPABILITY_VERSION;
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
 
-  if (capget (&hdr, &data)  < 0)
+  if (capget (&hdr, data)  < 0)
     die_with_error ("capget failed");
 
-  if (((data.effective & REQUIRED_CAPS) == REQUIRED_CAPS) &&
-      ((data.permitted & REQUIRED_CAPS) == REQUIRED_CAPS))
+  if (((data[0].effective & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) &&
+      ((data[0].permitted & REQUIRED_CAPS_0) == REQUIRED_CAPS_0) &&
+      ((data[1].effective & REQUIRED_CAPS_1) == REQUIRED_CAPS_1) &&
+      ((data[1].permitted & REQUIRED_CAPS_1) == REQUIRED_CAPS_1))
     is_privileged = TRUE;
 
   if (getuid () != geteuid ())
@@ -1980,13 +1985,16 @@ acquire_caps (void)
   if (is_privileged)
     {
       memset (&hdr, 0, sizeof(hdr));
-      hdr.version = _LINUX_CAPABILITY_VERSION;
+      hdr.version = _LINUX_CAPABILITY_VERSION_3;
 
       /* Drop all non-require capabilities */
-      data.effective = REQUIRED_CAPS;
-      data.permitted = REQUIRED_CAPS;
-      data.inheritable = 0;
-      if (capset (&hdr, &data) < 0)
+      data[0].effective = REQUIRED_CAPS_0;
+      data[0].permitted = REQUIRED_CAPS_0;
+      data[0].inheritable = 0;
+      data[1].effective = REQUIRED_CAPS_1;
+      data[1].permitted = REQUIRED_CAPS_1;
+      data[1].inheritable = 0;
+      if (capset (&hdr, data) < 0)
         die_with_error ("capset failed");
     }
   /* Else, we try unprivileged user namespaces */
@@ -1996,18 +2004,21 @@ static void
 drop_caps (void)
 {
   struct __user_cap_header_struct hdr;
-  struct __user_cap_data_struct data;
+  struct __user_cap_data_struct data[2];
 
   if (!is_privileged)
     return;
 
   memset (&hdr, 0, sizeof(hdr));
-  hdr.version = _LINUX_CAPABILITY_VERSION;
-  data.effective = 0;
-  data.permitted = 0;
-  data.inheritable = 0;
-
-  if (capset (&hdr, &data) < 0)
+  hdr.version = _LINUX_CAPABILITY_VERSION_3;
+  data[0].effective = 0;
+  data[0].permitted = 0;
+  data[0].inheritable = 0;
+  data[1].effective = 0;
+  data[1].permitted = 0;
+  data[1].inheritable = 0;
+
+  if (capset (&hdr, data) < 0)
     die_with_error ("capset failed");
 
   if (prctl (PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)