[Devel] [PATCH RH7] capset: ignore setting not permitted capabilities

[Pavel Tikhomirov]

It is temporary decision for docker sake as we donnot have e.g.
CAP_SYS_ADMIN, CAP_NET_ADMIN in PCS7CT and docker tries to set them.

https://jira.sw.ru/browse/PSBM-33693
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 security/commoncap.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 829ffac..d4b7ea6 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -257,13 +257,26 @@ int cap_capset(struct cred *new,
 
 	if (!cap_issubset(*inheritable,
 			  cap_combine(old->cap_inheritable,
-				      old->cap_bset)))
+				      old->cap_bset))) {
 		/* no new pI capabilities outside bounding set */
-		return -EPERM;
+		unsigned capi;
+		CAP_FOR_EACH_U32(capi) {
+			printk("%x-%x ", inheritable->cap[capi],
+			       old->cap_inheritable.cap[capi] | old->cap_bset.cap[capi]);
+		}
+		printk("Skip inheritable capset check. Docker? - Will fix when switch to user namespaces.\n");
+		goto old;
+	}
 
 	/* verify restrictions on target's new Permitted set */
-	if (!cap_issubset(*permitted, old->cap_permitted))
-		return -EPERM;
+	if (!cap_issubset(*permitted, old->cap_permitted)) {
+		unsigned capi;
+		CAP_FOR_EACH_U32(capi) {
+			printk("%x-%x ", permitted->cap[capi] , old->cap_permitted.cap[capi]);
+		}
+		printk("Skip permited capset check. Docker? - Will fix when switch to user namespaces.\n");
+		goto old;
+	}
 
 	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
 	if (!cap_issubset(*effective, *permitted))
@@ -273,6 +286,11 @@ int cap_capset(struct cred *new,
 	new->cap_inheritable = *inheritable;
 	new->cap_permitted   = *permitted;
 	return 0;
+old:
+	new->cap_effective   = old->cap_effective;
+	new->cap_inheritable = old->cap_inheritable;
+	new->cap_permitted   = old->cap_permitted;
+	return 0;
 }
 
 /*
-- 
1.9.3