[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-262-g3a3d541
by Werner Koch
cvs at cvs.gnupg.org
Mon Sep 7 14:08:12 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via 3a3d5410cc83f7069c7cb1ab384905f382292d32 (commit)
from e97c62a4a687b56d00a2d0a63e072a977f8eb81c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3a3d5410cc83f7069c7cb1ab384905f382292d32
Author: Werner Koch <wk at gnupg.org>
Date: Mon Sep 7 14:02:09 2015 +0200
Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
functions if NO_PRIV_DROP is set.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/src/secmem.c b/src/secmem.c
index 2109bc2..c4e8414 100644
--- a/src/secmem.c
+++ b/src/secmem.c
@@ -245,15 +245,21 @@ lock_pool (void *p, size_t n)
{
cap_t cap;
- cap = cap_from_text ("cap_ipc_lock+ep");
- cap_set_proc (cap);
- cap_free (cap);
+ if (!no_priv_drop)
+ {
+ cap = cap_from_text ("cap_ipc_lock+ep");
+ cap_set_proc (cap);
+ cap_free (cap);
+ }
err = no_mlock? 0 : mlock (p, n);
if (err && errno)
err = errno;
- cap = cap_from_text ("cap_ipc_lock+p");
- cap_set_proc (cap);
- cap_free(cap);
+ if (!no_priv_drop)
+ {
+ cap = cap_from_text ("cap_ipc_lock+p");
+ cap_set_proc (cap);
+ cap_free(cap);
+ }
}
if (err)
@@ -485,13 +491,14 @@ secmem_init (size_t n)
{
#ifdef USE_CAPABILITIES
/* drop all capabilities */
- {
- cap_t cap;
+ if (!no_priv_drop)
+ {
+ cap_t cap;
- cap = cap_from_text ("all-eip");
- cap_set_proc (cap);
- cap_free (cap);
- }
+ cap = cap_from_text ("all-eip");
+ cap_set_proc (cap);
+ cap_free (cap);
+ }
#elif !defined(HAVE_DOSISH_SYSTEM)
uid_t uid;
@@ -539,7 +546,7 @@ _gcry_secmem_init (size_t n)
gcry_err_code_t
_gcry_secmem_module_init ()
{
- /* No anymore needed. */
+ /* Not anymore needed. */
return 0;
}
-----------------------------------------------------------------------
Summary of changes:
src/secmem.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list