Ticket #2528: capset.diff
| File capset.diff, 1.3 KB (added by , 2 years ago) |
|---|
-
(a) a/src/os/unix/ngx_process_cycle.c.orig>-2024-02-23 vs. (b) b/src/os/unix/ngx_process_cycle.c>--2024-02-23
a b 811 811 } 812 812 813 813 #if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES) 814 if (ccf-> transparent && ccf->user) {814 if (ccf->user) { 815 815 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { 816 816 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, 817 817 "prctl(PR_SET_KEEPCAPS, 1) failed"); … … 829 829 } 830 830 831 831 #if (NGX_HAVE_CAPABILITIES) 832 if (ccf-> transparent && ccf->user) {832 if (ccf->user) { 833 833 struct __user_cap_data_struct data; 834 834 struct __user_cap_header_struct header; 835 835 … … 837 837 ngx_memzero(&data, sizeof(struct __user_cap_data_struct)); 838 838 839 839 header.version = _LINUX_CAPABILITY_VERSION_1; 840 data.effective = CAP_TO_MASK(CAP_NET_RAW); 840 if (ccf->transparent) { 841 data.effective = CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_NET_BIND_SERVICE); 842 } 843 else { 844 data.effective = CAP_TO_MASK(CAP_NET_BIND_SERVICE); 845 } 841 846 data.permitted = data.effective; 842 847 843 848 if (syscall(SYS_capset, &header, &data) == -1) {
