bryancall commented on code in PR #12908:
URL: https://github.com/apache/trafficserver/pull/12908#discussion_r2927834018
##########
src/tscore/ink_cap.cc:
##########
@@ -273,7 +273,7 @@ RestrictCapabilities()
cap_t caps_orig = cap_get_proc();
// Capabilities we need.
- cap_value_t perm_list[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
CAP_IPC_LOCK, CAP_DAC_OVERRIDE, CAP_FOWNER};
+ cap_value_t perm_list[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
CAP_IPC_LOCK, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_CHOWN};
Review Comment:
Fixed — line length is within limits after reformatting the perm_list array.
##########
src/tscore/ink_cap.cc:
##########
@@ -463,6 +463,11 @@ ElevateAccess::acquirePrivilege(unsigned priv_mask)
++cap_count;
}
+ if (priv_mask & ElevateAccess::CHOWN_PRIVILEGE) {
+ cap_list[cap_count] = CAP_CHOWN;
+ ++cap_count;
+ }
+
ink_release_assert(cap_count <= sizeof(cap_list));
Review Comment:
Fixed in 9518296 — changed to `sizeof(cap_list) / sizeof(cap_list[0])` so
the assertion checks element count instead of byte size.
##########
include/tscore/ink_cap.h:
##########
@@ -81,8 +81,9 @@ class ElevateAccess
FILE_PRIVILEGE = 0x1u, ///< Access filesystem objects with privilege
TRACE_PRIVILEGE = 0x2u, ///< Trace other processes with privilege
LOW_PORT_PRIVILEGE = 0x4u, ///< Bind to privilege ports.
- OWNER_PRIVILEGE = 0x8u ///< Bypass permission checks on operations
that normally require
+ OWNER_PRIVILEGE = 0x8u, ///< Bypass permission checks on operations
that normally require
/// filesystem UID & process UID to match
+ CHOWN_PRIVILEGE = 0x10u ///< Change file ownership
Review Comment:
Addressed in 9518296, though clang-format has its own opinion on the
alignment. CI will be the arbiter.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
