Skip to content

Commit 103d825

Browse files
seveasseveas
committed
Improvements when encountering new capabilities
- When there are capabilities we don't know about yet, warn the user - Such unnamed capabilities can now be manipulated, and are dropped by limit()
1 parent 95ac3a5 commit 103d825

File tree

2 files changed

+16
-7
lines changed

2 files changed

+16
-7
lines changed

_prctlmodule.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -760,14 +760,13 @@ PyInit__prctl(void)
760760
namedconstant(CAP_SYS_RESOURCE);
761761
namedconstant(CAP_SYS_TIME);
762762
namedconstant(CAP_SYS_TTY_CONFIG);
763-
namedconstant(CAP_SYSLOG);
764-
namedconstant(CAP_WAKE_ALARM);
765763
#ifdef CAP_SYSLOG
766764
namedconstant(CAP_SYSLOG);
767765
#endif
768766
#ifdef CAP_WAKE_ALARM
769767
namedconstant(CAP_WAKE_ALARM);
770768
#endif
769+
namedconstant(CAP_LAST_CAP);
771770
/* And the securebits constants */
772771
namedconstant(SECURE_KEEP_CAPS);
773772
namedconstant(SECURE_NO_SETUID_FIXUP);

prctl.py

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,22 @@ def setter(self, value):
4444
return property(getter, setter)
4545

4646
# Wrap the capabilities, capability bounding set and securebits in an object
47-
_ALL_FLAG_NAMES = ('CAP_EFFECTIVE', 'CAP_INHERITABLE', 'CAP_PERMITTED')
47+
_ALL_FLAG_NAMES = ('CAP_EFFECTIVE', 'CAP_INHERITABLE', 'CAP_PERMITTED')
4848
_ALL_CAP_NAMES = tuple(x for x in dir(_prctl) if x.startswith('CAP_') and x not in _ALL_FLAG_NAMES)
49-
ALL_FLAG_NAMES = list(x[4:].lower() for x in _ALL_FLAG_NAMES)
50-
ALL_CAP_NAMES = list(x[4:].lower() for x in _ALL_CAP_NAMES)
51-
ALL_CAPS = tuple(getattr(_prctl,x) for x in _ALL_CAP_NAMES)
49+
ALL_FLAG_NAMES = tuple(x[4:].lower() for x in _ALL_FLAG_NAMES)
50+
ALL_CAP_NAMES = tuple(x[4:].lower() for x in _ALL_CAP_NAMES)
5251
ALL_FLAGS = tuple(getattr(_prctl,x) for x in _ALL_FLAG_NAMES)
52+
ALL_CAPS = tuple(getattr(_prctl,x) for x in _ALL_CAP_NAMES)
53+
54+
for i in range(_prctl.CAP_LAST_CAP+1):
55+
if i not in ALL_CAPS:
56+
_ALL_CAP_NAMES += ("CAP_UNKNOWN_%d" % i,)
57+
del i
58+
59+
if len(_ALL_CAP_NAMES) != len(ALL_CAPS):
60+
warnings.warn("not all known capabilities are named, this is a bug in python-prctl", RuntimeWarning)
61+
ALL_CAP_NAMES = tuple(x[4:].lower() for x in _ALL_CAP_NAMES)
62+
ALL_CAPS = tuple(getattr(_prctl,x) for x in _ALL_CAP_NAMES)
5363

5464
class Capbset(object):
5565
__slots__ = ALL_CAP_NAMES
@@ -69,7 +79,7 @@ def limit(self, *caps):
6979
capbset = Capbset()
7080

7181
class Capset(object):
72-
__slots__ = ALL_CAP_NAMES + ['flag']
82+
__slots__ = ALL_CAP_NAMES + ('flag',)
7383
def __init__(self, flag):
7484
self.flag = flag
7585
for name in _ALL_CAP_NAMES:

0 commit comments

Comments
 (0)