Skip to content

Commit

Permalink
squash! src: allow CAP_NET_BIND_SERVICE in SafeGetenv
Browse files Browse the repository at this point in the history
This commit updates the capabilities check to use the permitted set
instead of the effective. And it also checks the second element of
cap_data which can contain 64 bit capability masks.
  • Loading branch information
danbev committed Sep 22, 2021
1 parent c48b6e1 commit 501026c
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/node_credentials.cc
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,14 @@ bool HasOnly(int capability) {
getpid()};


if (syscall(SYS_capget, &cap_header_data, &cap_data[0]) != 0) {
if (syscall(SYS_capget, &cap_header_data, &cap_data) != 0) {
return false;
}
return cap_data[0].effective ==
if (capability < 32) {
return cap_data[0].permitted ==
static_cast<unsigned int>(CAP_TO_MASK(capability));
}
return cap_data[1].permitted ==
static_cast<unsigned int>(CAP_TO_MASK(capability));
}
#endif
Expand Down

0 comments on commit 501026c

Please sign in to comment.