[gnome-keyring] Accept to run if ipc_lock capability is not available
- From: Vincent Untz <vuntz src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-keyring] Accept to run if ipc_lock capability is not available
- Date: Mon, 16 May 2011 06:47:06 +0000 (UTC)
commit ad67edd5fb25fca974f10f568c31a2316d728b79
Author: Vincent Untz <vuntz gnome org>
Date: Fri May 6 14:18:00 2011 +0200
Accept to run if ipc_lock capability is not available
We print a warning about potential use of unsecure memory, but still
run (and drop unneeded capabilities if we have some). This is better
than nothing.
https://bugzilla.gnome.org/show_bug.cgi?id=649560
daemon/gkd-capability.c | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
---
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
index e15200a..92c000c 100644
--- a/daemon/gkd-capability.c
+++ b/daemon/gkd-capability.c
@@ -42,6 +42,12 @@ early_error (const char *err_string)
exit (1);
}
+static void
+early_warning (const char *warn_string)
+{
+ fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
+}
+
#endif /* HAVE_LIPCAPNG */
/*
@@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
early_error ("error getting process capabilities");
break;
case CAPNG_NONE:
- early_error ("insufficient process capabilities");
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
break;
case CAPNG_PARTIAL: /* File system based capabilities */
if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
- early_error ("insufficient process capabilities");
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
+ /* Drop all capabilities */
+ capng_clear (CAPNG_SELECT_BOTH);
+ capng_apply (CAPNG_SELECT_BOTH);
break;
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
