chore: Check CAP_SYS_ADMIN in ot_util_process_privileged

2024-12-21 13:34:34 +03:00 · 2024-12-20 20:35:08 +08:00 · 2024-12-20 20:35:08 +08:00 · f9bf9ac560
commit f9bf9ac560
parent 1bd9aa6461
1 changed files with 11 additions and 1 deletions
--- a/src/libotutil/ot-unix-utils.c
+++ b/src/libotutil/ot-unix-utils.c
@ -32,6 +32,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
+#include <sys/prctl.h>
+#include <linux/prctl.h>
+#include <linux/capability.h>
 #include <unistd.h>

 /* Ensure that a pathname component @name does not contain the special Unix
@ -107,5 +110,12 @@ ot_util_path_split_validate (const char *path, GPtrArray **out_components, GErro
 gboolean
 ot_util_process_privileged (void)
 {
-  return geteuid() == 0;
+  if (geteuid() != 0)
+    return FALSE;
+
+  // https://github.com/containers/bootc/blob/c88fcfd6e145863408bde7d4706937dd323f64e2/lib/src/cli.rs#L621
+  if (prctl (PR_CAPBSET_READ, CAP_SYS_ADMIN) != 1)
+    return FALSE;
+
+  return TRUE;
 }