|
|
@ -58,9 +58,14 @@ use version;
|
|
|
|
*CLONE_NEWNET = \0x40000000; # net
|
|
|
|
*CLONE_NEWNET = \0x40000000; # net
|
|
|
|
*_LINUX_CAPABILITY_VERSION_3 = \0x20080522;
|
|
|
|
*_LINUX_CAPABILITY_VERSION_3 = \0x20080522;
|
|
|
|
*CAP_SYS_ADMIN = \21;
|
|
|
|
*CAP_SYS_ADMIN = \21;
|
|
|
|
our ($CLONE_NEWNS, $CLONE_NEWUTS, $CLONE_NEWIPC,
|
|
|
|
*PR_CAPBSET_READ = \23;
|
|
|
|
$CLONE_NEWUSER, $CLONE_NEWPID, $CLONE_NEWNET,
|
|
|
|
our (
|
|
|
|
$_LINUX_CAPABILITY_VERSION_3, $CAP_SYS_ADMIN);
|
|
|
|
$CLONE_NEWNS, $CLONE_NEWUTS,
|
|
|
|
|
|
|
|
$CLONE_NEWIPC, $CLONE_NEWUSER,
|
|
|
|
|
|
|
|
$CLONE_NEWPID, $CLONE_NEWNET,
|
|
|
|
|
|
|
|
$_LINUX_CAPABILITY_VERSION_3, $CAP_SYS_ADMIN,
|
|
|
|
|
|
|
|
$PR_CAPBSET_READ
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
#<<<
|
|
|
|
#<<<
|
|
|
|
# type codes:
|
|
|
|
# type codes:
|
|
|
@ -4669,8 +4674,13 @@ sub main() {
|
|
|
|
or error "capget failed: $!";
|
|
|
|
or error "capget failed: $!";
|
|
|
|
my ($effective, undef) = unpack "LLLLLL", $datap;
|
|
|
|
my ($effective, undef) = unpack "LLLLLL", $datap;
|
|
|
|
if (($effective >> $CAP_SYS_ADMIN) & 1 != 1) {
|
|
|
|
if (($effective >> $CAP_SYS_ADMIN) & 1 != 1) {
|
|
|
|
# we don't have CAP_SYS_ADMIN, and thus cannot mount
|
|
|
|
warning
|
|
|
|
warning "cannot mount because of missing capability CAP_SYS_ADMIN";
|
|
|
|
"cannot mount because CAP_SYS_ADMIN is not in the effective set";
|
|
|
|
|
|
|
|
$options->{canmount} = 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (0 == syscall &SYS_prctl, $PR_CAPBSET_READ, $CAP_SYS_ADMIN) {
|
|
|
|
|
|
|
|
warning
|
|
|
|
|
|
|
|
"cannot mount because CAP_SYS_ADMIN is not in the bounding set";
|
|
|
|
$options->{canmount} = 0;
|
|
|
|
$options->{canmount} = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# To test whether we can use mount without actually trying to mount
|
|
|
|
# To test whether we can use mount without actually trying to mount
|
|
|
|