minijail: Handle cap_get_flag(3) failing with EINVAL

This change adds handling EINVAL on cap_get_flag(3). This is because libcap rejects setting / getting any capabilities that it wasn't compiled with, despite there being some wording on libcap(3)'s cap_from_text(3) manpage that would lead the readers to think that the library would allow doing so. Bug: None Test: # ./minijail0 -T static --ambient \ -c 'cap_dac_read_search,cap_dac_override+e' -- \ /bin/true # On Chrome OS. Change-Id: Iea9b6737b208a201868731d44724eb1caa165fc5
google · Sep 24, 2018 · 677900f · 677900f
1 parent dabc430
commit 677900f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/minijail0_cli.c b/minijail0_cli.c
@@ -94,6 +94,14 @@ static void use_caps(struct minijail *j, const char *arg)
 		for (i = 0; i <= last_valid_cap; ++i) {
 			if (cap_get_flag(parsed_caps, i, CAP_EFFECTIVE,
 					 &cap_value)) {
+				if (errno == EINVAL) {
+					/*
+					 * Some versions of libcap reject any
+					 * capabilities they were not compiled
+					 * with by returning EINVAL.
+					 */
+					continue;
+				}
 				fprintf(stderr,
 					"Could not get the value of "
 					"the %d-th capability: %m\n",