lxc_container: Check retval of capng_get_caps_process()

Added in v0.6.5~14 the call to capng_get_caps_process() inside of lxcContainerDropCapabilities() is not really explained in the commit message. But looking into the libcap-ng sources it's to initialize the internal state of the library. But with recent libcap-ng commit [1] (which some bleeding edge distros - like Fedora rawhide - already picked up) the function has been marked as 'warn unused result'. Well, check for its retval then. 1: a0743c335c Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2023-09-11 10:47:01 +02:00 · 2023-09-11 10:47:01 +02:00 · 3222c9ca67
parent efeaf5589c
commit 3222c9ca67
1 changed files with 7 additions and 1 deletions
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@ -1725,7 +1725,13 @@ static int lxcContainerDropCapabilities(virDomainDef *def,
                                CAP_SYSLOG,
                                CAP_WAKE_ALARM};

-    capng_get_caps_process();
+    /* Init the internal state of capng */
+    if ((ret = capng_get_caps_process()) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Failed to get current process capabilities: %1$d"),
+                       ret);
+        return -1;
+    }

    /* Make sure we drop everything if required by the user */
    if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_DENY)