From 96383234d5302f59ee93da63c4c592d8ce8639d4 Mon Sep 17 00:00:00 2001 From: lfbzhm Date: Fri, 11 Oct 2024 15:23:32 +0000 Subject: [PATCH] capability: can't raise ambient and drop bounding caps for other process Signed-off-by: lfbzhm --- capability/capability.go | 7 +++++++ capability/capability_linux.go | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/capability/capability.go b/capability/capability.go index 1b36f5f..b20c8a8 100644 --- a/capability/capability.go +++ b/capability/capability.go @@ -8,6 +8,8 @@ // Package capability provides utilities for manipulating POSIX capabilities. package capability +import "errors" + type Capabilities interface { // Get check whether a capability present in the given // capabilities set. The 'which' value should be one of EFFECTIVE, @@ -61,6 +63,11 @@ type Capabilities interface { Apply(kind CapType) error } +var ( + errBoundingNotMine = errors.New("not support drop bounding cap of other process") + errAmbientNotMine = errors.New("not support modify ambient cap of other process") +) + // NewPid initializes a new [Capabilities] object for given pid when // it is nonzero, or for the current process if pid is 0. // diff --git a/capability/capability_linux.go b/capability/capability_linux.go index 0732195..b4c4928 100644 --- a/capability/capability_linux.go +++ b/capability/capability_linux.go @@ -334,6 +334,9 @@ func (c *capsV3) Apply(kind CapType) (err error) { } if kind&BOUNDS == BOUNDS { var data [2]capData + if c.hdr.pid != 0 { + return errBoundingNotMine + } err = capget(&c.hdr, &data[0]) if err != nil { return @@ -364,6 +367,9 @@ func (c *capsV3) Apply(kind CapType) (err error) { } if kind&AMBS == AMBS { + if c.hdr.pid != 0 { + return errAmbientNotMine + } err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) if err != nil && err != syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare. // Ignore EINVAL as not supported on kernels before 4.3