@@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I aclocal
root_sbindir = "/sbin"
root_sbin_PROGRAMS = mount.cifs
mount_cifs_SOURCES = mount.cifs.c mtab.c util.c
-mount_cifs_LDADD = @LIBCAP@
+mount_cifs_LDADD = @LIBCAP@ @CAPNG_LDADD@
man_MANS = mount.cifs.8
@@ -118,6 +118,9 @@ LIBS=$cu_saved_libs
AM_CONDITIONAL(CONFIG_CIFSUPCALL, [test "$enable_cifsupcall" != "no"])
-AC_LIBCAP
+LIBCAP_NG_PATH
+if test "x$CAPNG_LDADD" = "x"; then
+ AC_LIBCAP
+fi
AC_OUTPUT
@@ -44,9 +44,13 @@
#include <fstab.h>
#include <sys/mman.h>
#include <sys/wait.h>
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#else /* HAVE_LIBCAP_NG */
#ifdef HAVE_LIBCAP
#include <sys/capability.h>
#endif /* HAVE_LIBCAP */
+#endif /* HAVE_LIBCAP_NG */
#include "mount.h"
#include "util.h"
@@ -322,6 +326,44 @@ static int parse_username(char *rawuser, struct parsed_mount_info *parsed_info)
return 0;
}
+#ifdef HAVE_LIBCAP_NG
+static int
+drop_capabilities(int parent)
+{
+ capng_setpid(getpid());
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_OVERRIDE)) {
+ fprintf(stderr, "Unable to update capability set.\n");
+ return EX_SYSERR;
+ }
+
+ if (parent) {
+ if (capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_ADMIN)) {
+ fprintf(stderr, "Unable to update capability set.\n");
+ return EX_SYSERR;
+ }
+ }
+ if (capng_apply(CAPNG_SELECT_BOTH)) {
+ fprintf(stderr, "Unable to apply new capability set.\n");
+ return EX_SYSERR;
+ }
+ return 0;
+}
+
+static int
+toggle_cap_dac_override(int enable)
+{
+ if (capng_update(enable ? CAPNG_ADD : CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE)) {
+ fprintf(stderr, "Unable to update capability set.\n");
+ return EX_SYSERR;
+ }
+ if (capng_apply(CAPNG_SELECT_CAPS)) {
+ fprintf(stderr, "Unable to apply new capability set.\n");
+ return EX_SYSERR;
+ }
+ return 0;
+}
+#else /* HAVE_LIBCAP_NG */
#ifdef HAVE_LIBCAP
static int
drop_capabilities(int parent)
@@ -426,6 +468,7 @@ toggle_cap_dac_override(int enable)
return 0;
}
#endif /* HAVE_LIBCAP */
+#endif /* HAVE_LIBCAP_NG */
static int open_cred_file(char *file_name,
struct parsed_mount_info *parsed_info)
...in preference to libcap if it's available. Signed-off-by: Jeff Layton <jlayton@samba.org> --- Makefile.am | 2 +- configure.ac | 5 ++++- mount.cifs.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-)