51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
|
From 156f6f318daa782cd209c90ed69a0d24595af5d1 Mon Sep 17 00:00:00 2001
|
||
|
From: Vincent Untz <vuntz@gnome.org>
|
||
|
Date: Fri, 6 May 2011 14:18:00 +0200
|
||
|
Subject: [PATCH] Accept to run if ipc_lock capability is not available
|
||
|
|
||
|
We print a warning about potential use of unsecure memory, but still
|
||
|
run (and drop unneeded capabilities if we have some). This is better
|
||
|
than nothing.
|
||
|
|
||
|
https://bugzilla.gnome.org/show_bug.cgi?id=649560
|
||
|
---
|
||
|
daemon/gkd-capability.c | 13 +++++++++++--
|
||
|
1 files changed, 11 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
|
||
|
index e15200a..92c000c 100644
|
||
|
--- a/daemon/gkd-capability.c
|
||
|
+++ b/daemon/gkd-capability.c
|
||
|
@@ -42,6 +42,12 @@ early_error (const char *err_string)
|
||
|
exit (1);
|
||
|
}
|
||
|
|
||
|
+static void
|
||
|
+early_warning (const char *warn_string)
|
||
|
+{
|
||
|
+ fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
|
||
|
+}
|
||
|
+
|
||
|
#endif /* HAVE_LIPCAPNG */
|
||
|
|
||
|
/*
|
||
|
@@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
|
||
|
early_error ("error getting process capabilities");
|
||
|
break;
|
||
|
case CAPNG_NONE:
|
||
|
- early_error ("insufficient process capabilities");
|
||
|
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
|
||
|
break;
|
||
|
case CAPNG_PARTIAL: /* File system based capabilities */
|
||
|
if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
|
||
|
- early_error ("insufficient process capabilities");
|
||
|
+ early_warning ("insufficient process capabilities, unsecure memory might get used");
|
||
|
+ /* Drop all capabilities */
|
||
|
+ capng_clear (CAPNG_SELECT_BOTH);
|
||
|
+ capng_apply (CAPNG_SELECT_BOTH);
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
--
|
||
|
1.7.4.2
|