restore: Skip dropping BSET capability if irrelevant.

prctl(NO_NEW_PRIVS) when set prevents child processes gaining capabilities not in permitted set. In this case, inability to clear capability from BSET that is not in the permitted set is harmless. Change-Id: Ibe328c3fad8dbfda0b87e675e51ef9ff102307d3 Signed-off-by: Michał Mirosław <[email protected]>
checkpoint-restore · Jul 25, 2023 · fbe6a57 · fbe6a57
1 parent 0e32b44
commit fbe6a57
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/criu/pie/restorer.c b/criu/pie/restorer.c
@@ -301,10 +301,18 @@ static int restore_creds(struct thread_creds_args *args, int procfd, int lsm_typ
 				/* already set */
 				continue;
 			ret = sys_prctl(PR_CAPBSET_DROP, i + b * 32, 0, 0, 0);
-			if (ret) {
+			if (!ret)
+				continue;
+			if (!ce->has_no_new_privs || !ce->no_new_privs || args->cap_prm[b] & (1 << u)) {
 				pr_err("Unable to drop capability %d: %d\n", i + b * 32, ret);
 				return -1;
 			}
+			/*
+			 * If prctl(NO_NEW_PRIVS) is going to be set then it
+			 * will prevent inheriting the capabilities not in
+			 * the permitted set.
+			 */
+			pr_warn("Unable to drop capability %d from bset: %d (but NO_NEW_PRIVS will drop it)\n", i + b * 32, ret);
 		}
 	}