don't drop CAP_SYS_PTRACE as it is apparently needed by sandbox

running as root when combined with apparmor (or possibly yama) LSM PiperOrigin-RevId: 578762678 Change-Id: I60803b4ed78c6750f8ce0e0c909e5cec4f619da8
google · Nov 2, 2023 · 6f90a6e · 6f90a6e
1 parent 79ab44c
commit 6f90a6e
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/sandboxed_api/sandbox2/forkserver.cc b/sandboxed_api/sandbox2/forkserver.cc
@@ -543,16 +543,20 @@ bool ForkServer::Initialize() {
   cap_t wanted_caps = cap_init();  // starts as empty set, ie. no caps
   SAPI_RAW_CHECK(wanted_caps, "failed to cap_init()");
 
-  for (cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
-    cap_flag_value_t value;
-    int rc = cap_get_flag(have_caps, CAP_SETFCAP, flag, &value);
-    SAPI_RAW_CHECK(!rc, "cap_get_flag");
-    if (value == CAP_SET) {
-      cap_value_t caps_to_set[1] = {
-          CAP_SETFCAP,
-      };
-      rc = cap_set_flag(wanted_caps, flag, 1, caps_to_set, CAP_SET);
-      SAPI_RAW_CHECK(!rc, "cap_set_flag");
+  // CAP_SYS_PTRACE appears to be needed for apparmor (or possibly yama)
+  // CAP_SETFCAP is needed on newer kernels (5.10 needs it, 4.15 does not)
+  for (cap_value_t cap : {CAP_SYS_PTRACE, CAP_SETFCAP}) {
+    for (cap_flag_t flag : {CAP_EFFECTIVE, CAP_PERMITTED}) {
+      cap_flag_value_t value;
+      int rc = cap_get_flag(have_caps, cap, flag, &value);
+      SAPI_RAW_CHECK(!rc, "cap_get_flag");
+      if (value == CAP_SET) {
+        cap_value_t caps_to_set[1] = {
+            cap,
+        };
+        rc = cap_set_flag(wanted_caps, flag, 1, caps_to_set, CAP_SET);
+        SAPI_RAW_CHECK(!rc, "cap_set_flag");
+      }
     }
   }