bus/selinux: Fix previous commit for CAP_AUDIT_WRITE retention

As soon as capng_clear() is called, we won't appear to have CAP_AUDIT_WRITE. Fix this by checking for it before resetting the libcap state. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062 Tested-by: Laurent Bigonville <bigon@debian.org> Reviewed-by: Laurent Bigonville <bigon@debian.org> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Lennart Poettering <lennart@poettering.net>
author: Colin Walters <walters@verbum.org> 2013-10-27 16:21:19 -0400
committer: Simon McVittie <simon.mcvittie@collabora.co.uk> 2013-11-01 19:13:21 +0000
commit: 983237258dc440419b863461fae15f31cce08639 (patch)
tree: 58a57555466e5626da6e4fdcb84eff7253cd92ca
parent: 6b3a169bb0d0c7464a861ce1d9a8af4946f62fb1 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/bus/selinux.c b/bus/selinux.c
index 7ae84d6d..768e55ef 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -1043,9 +1043,15 @@ _dbus_change_to_daemon_user  (const char    *user,
   if (_dbus_geteuid () == 0)
     {
       int rc;
+      int have_audit_write;
 
+      have_audit_write = capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE);
       capng_clear (CAPNG_SELECT_BOTH);
-      if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
+      /* Only attempt to retain CAP_AUDIT_WRITE if we had it when
+       * starting.  See:
+       * https://bugs.freedesktop.org/show_bug.cgi?id=49062#c9
+       */
+      if (have_audit_write)
         capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
                       CAP_AUDIT_WRITE);
       rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
author	Colin Walters <walters@verbum.org>	2013-10-27 16:21:19 -0400
committer	Simon McVittie <simon.mcvittie@collabora.co.uk>	2013-11-01 19:13:21 +0000
commit	983237258dc440419b863461fae15f31cce08639 (patch)
tree	58a57555466e5626da6e4fdcb84eff7253cd92ca
parent	6b3a169bb0d0c7464a861ce1d9a8af4946f62fb1 (diff)