caps: add lxc_{proc,file}_cap_is_set()

Add two new helpers that allow to determine whether a given proc or file has a capability in the given set and move lxc_cap_is_set() to static function that both call internally. Closes #296. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

caps: add lxc_{proc,file}_cap_is_set()
207c4c71 · Christian Brauner · 4bc3b759 · 207c4c71 · 207c4c71 · 207c4c71
Unverified Commit 207c4c71 authored Apr 15, 2017 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 12 deletions

caps.c src/lxc/caps.c +38 -9

caps.h src/lxc/caps.h +7 -2

start.c src/lxc/start.c +1 -1

No files found.
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -209,27 +209,56 @@ int lxc_caps_last_cap(void)
 	return last_cap;
 }

-bool lxc_cap_is_set(cap_value_t cap, cap_flag_t flag)
+static bool lxc_cap_is_set(cap_t caps, cap_value_t cap, cap_flag_t flag)
 {
 	int ret;
-	cap_t caps;
 	cap_flag_value_t flagval;

-	caps = cap_get_proc();
+	ret = cap_get_flag(caps, cap, flag, &flagval);
+	if (ret < 0) {
+		ERROR("Failed to perform cap_get_flag(): %s.", strerror(errno));
+		return false;
+	}
+
+	return flagval == CAP_SET;
+}
+
+bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
+{
+	bool cap_is_set;
+	cap_t caps;
+
+	caps = cap_get_file(path);
 	if (!caps) {
-		ERROR("Failed to perform cap_get_proc(): %s.", strerror(errno));
+		/* This is undocumented in the manpage but the source code show
+		 * that cap_get_file() may return NULL when successful for the
+		 * case where it didn't detect any file capabilities. In this
+		 * case errno will be set to ENODATA.
+		 */
+		if (errno != ENODATA)
+			ERROR("Failed to perform cap_get_file(): %s.\n", strerror(errno));
 		return false;
 	}

-	ret = cap_get_flag(caps, cap, flag, &flagval);
-	if (ret < 0) {
-		ERROR("Failed to perform cap_get_flag(): %s.", strerror(errno));
-		cap_free(caps);
+	cap_is_set = lxc_cap_is_set(caps, cap, flag);
+	cap_free(caps);
+	return cap_is_set;
+}
+
+bool lxc_proc_cap_is_set(cap_value_t cap, cap_flag_t flag)
+{
+	bool cap_is_set;
+	cap_t caps;
+
+	caps = cap_get_proc();
+	if (!caps) {
+		ERROR("Failed to perform cap_get_proc(): %s.\n", strerror(errno));
 		return false;
 	}

+	cap_is_set = lxc_cap_is_set(caps, cap, flag);
 	cap_free(caps);
-	return flagval == CAP_SET;
+	return cap_is_set;
 }

 #endif
--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -36,7 +36,8 @@ extern int lxc_caps_init(void);

 extern int lxc_caps_last_cap(void);

-extern bool lxc_cap_is_set(cap_value_t cap, cap_flag_t flag);
+extern bool lxc_proc_cap_is_set(cap_value_t cap, cap_flag_t flag);
+extern bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag);
 #else
 static inline int lxc_caps_down(void) {
 	return 0;
@@ -54,7 +55,11 @@ static inline int lxc_caps_last_cap(void) {

 typedef int cap_value_t;
 typedef int cap_flag_t;
-static inline bool lxc_cap_is_set(cap_value_t cap, cap_flag_t flag) {
+static inline bool lxc_proc_cap_is_set(cap_value_t cap, cap_flag_t flag) {
+	return true;
+}
+
+static inline bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag) {
 	return true;
 }
 #endif

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -899,7 +899,7 @@ static int do_start(void *data)
 		 * have necessary privilege.
 		 */
 		#if HAVE_LIBCAP
-		have_cap_setgid = lxc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
+		have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
 		#else
 		have_cap_setgid = false;
 		#endif