From 4c2bce95802f47383f6f57245a447183da4de7c9 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 30 Aug 2013 21:25:47 +0200
Subject: [PATCH 8/8] daemon: improve capabilities dropping

This fixes issues in the usage of libcap-ng to drop capabilities:
- capng_change_id() already applies the selected capabilities. Calling
  capng_apply() afterwards is pointless.
- In order to apply the bounding set, CAPNG_CLEAR_BOUNDING must therefore
  be passed to capng_change_id(). Might as well add CAPNG_DROP_SUPP_GRP
  to drop any supplementary groups.
- The return value of capng_change_id() must be checked to prevent
  continuing to run with unwanted capabilities in case of an error.

I have checked that with this patch applied iceccd runs with a bounding
set defined (pscap does not show the '+' sign anymore).
---
 daemon/main.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/daemon/main.cpp b/daemon/main.cpp
index 387d4e2..34ad342 100644
--- a/daemon/main.cpp
+++ b/daemon/main.cpp
@@ -1803,9 +1803,13 @@ int main( int argc, char ** argv )
 
 #ifdef HAVE_LIBCAP_NG
         capng_clear(CAPNG_SELECT_BOTH);
-        capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
-        capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
-        capng_apply(CAPNG_SELECT_BOTH);
+        capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE | CAPNG_PERMITTED), CAP_SYS_CHROOT);
+        int r = capng_change_id(d.user_uid, d.user_gid,
+                                (capng_flags_t)(CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING));
+        if (r) {
+            log_error() << "Error: capng_change_id failed: " << r << endl;
+            exit(EXIT_SETUID_FAILED);
+        }
 #endif
     } else {
         d.noremote = true;
-- 
1.8.3.1