summaryrefslogtreecommitdiffstats
path: root/src/linuxcap.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
commitddfc40eabdbc59a607b568e946fb116dcd3439fd (patch)
treeb3253de65399448dbbf12e5b65d2da56c53d3af6 /src/linuxcap.c
parentAdding upstream version 2.9.6. (diff)
downloadhaproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.tar.xz
haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.zip
Adding upstream version 2.9.7.upstream/2.9.7
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--src/linuxcap.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/linuxcap.c b/src/linuxcap.c
index 919086c..4a2a3ab 100644
--- a/src/linuxcap.c
+++ b/src/linuxcap.c
@@ -23,6 +23,7 @@
#include <haproxy/api.h>
#include <haproxy/cfgparse.h>
#include <haproxy/errors.h>
+#include <haproxy/global.h>
#include <haproxy/tools.h>
/* supported names, zero-terminated */
@@ -59,9 +60,10 @@ static uint32_t caplist;
* - switch euid to non-zero
* - set the effective and permitted caps again
* - then the caller can safely call setuid()
+ * On success LSTCHK_NETADM is unset from global.last_checks, if CAP_NET_ADMIN
+ * or CAP_NET_RAW was found in the caplist from config.
* We don't do this if the current euid is not zero or if the target uid
- * is zero. Returns >=0 on success, negative on failure. Alerts or warnings
- * may be emitted.
+ * is zero. Returns 0 on success, negative on failure. Alerts may be emitted.
*/
int prepare_caps_for_setuid(int from_uid, int to_uid)
{
@@ -101,6 +103,10 @@ int prepare_caps_for_setuid(int from_uid, int to_uid)
ha_alert("Failed to set the final capabilities using capset(): %s\n", strerror(errno));
return -1;
}
+
+ if (caplist & ((1 << CAP_NET_ADMIN)|(1 << CAP_NET_RAW)))
+ global.last_checks &= ~LSTCHK_NETADM;
+
/* all's good */
return 0;
}