48 lines
1.5 KiB
Diff
48 lines
1.5 KiB
Diff
From d36ece2ca7498b7ba5485d5010439b57f006c9c8 Mon Sep 17 00:00:00 2001
|
|
From: Tavian Barnes <tavianator@tavianator.com>
|
|
Date: Tue, 23 Mar 2021 11:46:26 -0400
|
|
Subject: [PATCH] tests: Actually remove capabilities after dropping them
|
|
|
|
---
|
|
tests.sh | 13 ++++++++-----
|
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
|
|
|
diff --git tests.sh tests.sh
|
|
index ad71894..8eb4dc0 100755
|
|
--- tests.sh
|
|
+++ tests.sh
|
|
@@ -35,22 +35,25 @@ if [ -t 1 ]; then
|
|
fi
|
|
|
|
if command -v capsh &>/dev/null; then
|
|
- if capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null || capsh --has-p=CAP_DAC_READ_SEARCH &>/dev/null; then
|
|
+ if capsh --has-p=cap_dac_override &>/dev/null || capsh --has-p=cap_dac_read_search &>/dev/null; then
|
|
if [ -n "$BFS_TRIED_DROP" ]; then
|
|
cat >&2 <<EOF
|
|
-${RED}error: ${RST} Failed to drop capabilities.
|
|
+${RED}error:${RST} Failed to drop capabilities.
|
|
EOF
|
|
|
|
exit 1
|
|
fi
|
|
|
|
cat >&2 <<EOF
|
|
-${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}CAP_DAC_OVERRIDE${RST} and
|
|
-${BLD}CAP_DAC_READ_SEARCH${RST}.
|
|
+${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}cap_dac_override${RST} and
|
|
+${BLD}cap_dac_read_search${RST}.
|
|
|
|
EOF
|
|
|
|
- BFS_TRIED_DROP=y exec capsh --drop=CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH -- "$0" "$@"
|
|
+ BFS_TRIED_DROP=y exec capsh \
|
|
+ --drop=cap_dac_override,cap_dac_read_search \
|
|
+ --caps=cap_dac_override,cap_dac_read_search-eip \
|
|
+ -- "$0" "$@"
|
|
fi
|
|
elif [ "$EUID" -eq 0 ]; then
|
|
UNLESS=
|
|
--
|
|
2.31.1
|
|
|