boklm/mmdebstrap
1
0
Fork 0
forked from josch/mmdebstrap
Code Issues Pull requests Projects Releases Wiki Activity

also check whether CAP_SYS_ADMIN is in the bounding set

Browse source
This commit is contained in:
Johannes Schauer Marin Rodrigues 2021-08-27 11:53:11 +02:00
parent 5a5f57b404
commit 047619967e
Signed by untrusted user: josch
GPG key ID: F2CBA5C78FBD83E1
1 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
mmdebstrap
View file

@ -58,9 +58,14 @@ use version;
*CLONE_NEWNET = \0x40000000; # net *CLONE_NEWNET = \0x40000000; # net
*_LINUX_CAPABILITY_VERSION_3 = \0x20080522; *_LINUX_CAPABILITY_VERSION_3 = \0x20080522;
*CAP_SYS_ADMIN = \21; *CAP_SYS_ADMIN = \21;
our ($CLONE_NEWNS, $CLONE_NEWUTS, $CLONE_NEWIPC, *PR_CAPBSET_READ = \23;
$CLONE_NEWUSER, $CLONE_NEWPID, $CLONE_NEWNET, our (
$_LINUX_CAPABILITY_VERSION_3, $CAP_SYS_ADMIN); $CLONE_NEWNS, $CLONE_NEWUTS,
$CLONE_NEWIPC, $CLONE_NEWUSER,
$CLONE_NEWPID, $CLONE_NEWNET,
$_LINUX_CAPABILITY_VERSION_3, $CAP_SYS_ADMIN,
$PR_CAPBSET_READ
);
#<<< #<<<
# type codes: # type codes:
@ -4669,8 +4674,13 @@ sub main() {
or error "capget failed: $!"; or error "capget failed: $!";
my ($effective, undef) = unpack "LLLLLL", $datap; my ($effective, undef) = unpack "LLLLLL", $datap;
if (($effective >> $CAP_SYS_ADMIN) & 1 != 1) { if (($effective >> $CAP_SYS_ADMIN) & 1 != 1) {
# we don't have CAP_SYS_ADMIN, and thus cannot mount warning
warning "cannot mount because of missing capability CAP_SYS_ADMIN"; "cannot mount because CAP_SYS_ADMIN is not in the effective set";
$options->{canmount} = 0;
}
if (0 == syscall &SYS_prctl, $PR_CAPBSET_READ, $CAP_SYS_ADMIN) {
warning
"cannot mount because CAP_SYS_ADMIN is not in the bounding set";
$options->{canmount} = 0; $options->{canmount} = 0;
} }
# To test whether we can use mount without actually trying to mount # To test whether we can use mount without actually trying to mount