1 From 0fddcee4b1b9c9f16b3cfe1b2daec87d2b8b19dd Mon Sep 17 00:00:00 2001
2 From: Alexander Koch <mail@alexanderkoch.net>
3 Date: Wed, 16 Dec 2020 18:02:31 +0100
4 Subject: [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP
7 Make drop_call_capabilities() in cifs.upcall update the bounding capabilities
8 only if CAP_SETCAP is present.
10 This is an addendum to the patch recently provided in [1]. Without this
11 additional change, cifs.upcall can still fail while trying to mount a CIFS
12 network share with krb5:
14 kernel: CIFS: Attempting to mount //server.domain.lan/myshare
15 cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan>
16 cifs.upcall[39484]: ver=2
17 cifs.upcall[39484]: host=server.domain.lan
18 cifs.upcall[39484]: ip=172.22.3.14
19 cifs.upcall[39484]: sec=1
20 cifs.upcall[39484]: uid=1000
21 cifs.upcall[39484]: creduid=1000
22 cifs.upcall[39484]: user=username
23 cifs.upcall[39484]: pid=39481
24 cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ
25 cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000
26 cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success
27 cifs.upcall[39484]: Exit status 1
29 [1] https://marc.info/?l=linux-cifs&m=160595758021261
31 Signed-off-by: Alexander Koch <mail@alexanderkoch.net>
32 Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
34 cifs.upcall.c | 7 ++++++-
35 1 file changed, 6 insertions(+), 1 deletion(-)
37 diff --git a/cifs.upcall.c b/cifs.upcall.c
38 index 1559434..b62ab50 100644
41 @@ -115,8 +115,13 @@ trim_capabilities(bool need_environ)
43 drop_all_capabilities(void)
45 + capng_select_t set = CAPNG_SELECT_CAPS;
47 capng_clear(CAPNG_SELECT_BOTH);
48 - if (capng_apply(CAPNG_SELECT_BOTH)) {
49 + if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
50 + set = CAPNG_SELECT_BOTH;
52 + if (capng_apply(set)) {
53 syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);