From eaf273846152ec2fc8950590d8b3a65895bd5b88 Mon Sep 17 00:00:00 2001 From: Martin Carpenter Date: Fri, 29 Jan 2016 04:29:30 -0500 Subject: Fix for systems that don't have CAP_SYSLOG CAP_SYSLOG was retroactively split from CAP_SYSADMIN (Linux kernel commit ce6ada35bdf710d16582cc4869c26722547e6f11). Existing supported systems might not yet have this commit (eg RHEL 6.6) in which case compilation fails. --- src/firejail/caps.c | 2 ++ src/firejail/usage.c | 4 ++++ 2 files changed, 6 insertions(+) (limited to 'src') diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 93049ebf0..1c4ac8d37 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -289,10 +289,12 @@ int caps_default_filter(void) { else if (arg_debug) printf("Drop CAP_SYS_TTY_CONFIG\n"); +#ifdef CAP_SYSLOG if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); else if (arg_debug) printf("Drop CAP_SYSLOG\n"); +#endif if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 5021025e8..52b85f5ce 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -48,7 +48,11 @@ void usage(void) { printf("\t-c - execute command and exit.\n\n"); printf("\t--caps - enable default Linux capabilities filter. The filter disables\n"); printf("\t\tCAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,\n"); +#ifdef CAP_SYSLOG printf("\t\tCAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); +#else + printf("\t\tCAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN.\n\n"); +#endif printf("\t--caps.drop=all - drop all capabilities.\n\n"); printf("\t--caps.drop=capability,capability,capability - blacklist Linux\n"); printf("\t\tcapabilities filter.\n\n"); -- cgit v1.2.3-54-g00ecf