From nobody Sun Feb 8 23:26:53 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1626967844; cv=none; d=zohomail.com; s=zohoarc; b=D/w0Gj9ATidPYDEBEuDrku6ES2frrb/rP0jMFg69JKjwFbv5ZqsDLmfMe64fc0FFImKJDXP8v7s6i4VM0rI4yflPw1H9U4vsrruMRwB7KgbTvNrvT+Sbn9Sz1OwDspiTM3P+2z2ed058Cp2Q1Y342MYLTJhShFNBAgOEV8YrPEQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626967844; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=CXKOL8eib8Kp4UpvF0l21z476n3bksXAz6EXBpEe8og=; b=F0ufpdt4zgXwSnhoYYeeulboM1M1UK45i6923gSMiuCmdx2CG4SWJ/xzDgPlVn9me5XzLrIhl+Ussj7PmenJ1RIPKPjYLrAmt2K1GYKM1BL1ICYZrHjUHM12IsiWr+FVsiRNmYEbSo8uCQqFbEsq7I2eyG2zLoPAGqvrBErlwK4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1626967844345601.0926476465822; Thu, 22 Jul 2021 08:30:44 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-46-wx2ZAt4ON-q4EdvCHDkh5g-1; Thu, 22 Jul 2021 11:30:40 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DC3B0100B3A3; Thu, 22 Jul 2021 15:30:34 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B4D545C1D1; Thu, 22 Jul 2021 15:30:34 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D68674BB7C; Thu, 22 Jul 2021 15:30:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 16MFUV0t022836 for ; Thu, 22 Jul 2021 11:30:31 -0400 Received: by smtp.corp.redhat.com (Postfix) id CE131710C6; Thu, 22 Jul 2021 15:30:31 +0000 (UTC) Received: from bart.redhat.com (unknown [10.43.2.63]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5A3985B826 for ; Thu, 22 Jul 2021 15:30:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1626967842; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=CXKOL8eib8Kp4UpvF0l21z476n3bksXAz6EXBpEe8og=; b=NNhhQunrTMCZihOFtCHZ8alrM06/zVRmzgWWKPEi0bVqBLEakbgw9t9vMKCwXd9ynZ7Uoq SaHeRlUAjx0k4TygYTXV6+8EafbQ1B9tWUrIsnbCsivfNjBA6GoMbBB9YQK0Xq4fR01IrU bh3CL6amlMeUIQrjq6Qt1bJhg7Hrjz0= X-MC-Unique: wx2ZAt4ON-q4EdvCHDkh5g-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/2] virSetUIDGIDWithCaps: Check for capng_apply() retval properly Date: Thu, 22 Jul 2021 17:29:57 +0200 Message-Id: <240620c8c78c442cd8ab12800cf1abd7c9d2a1fc.1626967773.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1626967846812100002 Content-Type: text/plain; charset="utf-8" After all capabilities were set (except for CAP_SETGID, CAP_SETUID and CAP_SETPCAP) and after UID:GID was changed we drop the last aforementioned capabilities (we couldn't drop them before because we needed UID:GID and capabilities change). Therefore, there's final capng_apply() call. However, it's return value is not checked for properly. It's typical problem of: var =3D func() < 0 Signed-off-by: Michal Privoznik --- src/util/virutil.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/util/virutil.c b/src/util/virutil.c index ed3d57662b..aba0aea0ff 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1261,7 +1261,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *gro= ups, int ngroups, if (need_setpcap) capng_update(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETP= CAP); =20 - if (((capng_ret =3D capng_apply(CAPNG_SELECT_CAPS)) < 0)) { + if ((capng_ret =3D capng_apply(CAPNG_SELECT_CAPS)) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("cannot apply process capabilities %d"), capng_re= t); return -1; --=20 2.31.1