Always call \'drop_caps\'.
am: d8c8205220
* commit 'd8c82052209904fba2b8b8cc46d15abd465a96f3':
Always call 'drop_caps'.
diff --git a/libminijail.c b/libminijail.c
index f916633..a38eb64 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1252,6 +1252,10 @@
cap_value_t flag[1];
const uint64_t one = 1;
unsigned int i;
+
+ if (!j->flags.use_caps)
+ return;
+
if (!caps)
die("can't get process caps");
if (cap_clear_flag(caps, CAP_INHERITABLE))
@@ -1418,16 +1422,14 @@
pdie("prctl(PR_SET_SECUREBITS)");
}
- /*
- * If we're setting no_new_privs, we can drop privileges
- * before setting seccomp filter. This way filter policies
- * don't need to allow privilege-dropping syscalls.
- */
if (j->flags.no_new_privs) {
+ /*
+ * If we're setting no_new_privs, we can drop privileges
+ * before setting seccomp filter. This way filter policies
+ * don't need to allow privilege-dropping syscalls.
+ */
drop_ugid(j);
- if (j->flags.use_caps)
- drop_caps(j, last_valid_cap);
-
+ drop_caps(j, last_valid_cap);
set_seccomp_filter(j);
} else {
/*
@@ -1438,10 +1440,8 @@
* capget()/capset()/prctl() for dropping caps.
*/
set_seccomp_filter(j);
-
drop_ugid(j);
- if (j->flags.use_caps)
- drop_caps(j, last_valid_cap);
+ drop_caps(j, last_valid_cap);
}
/*