[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-262-g3a3d541

by Werner Koch cvs at cvs.gnupg.org
Mon Sep 7 14:08:12 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  3a3d5410cc83f7069c7cb1ab384905f382292d32 (commit)
      from  e97c62a4a687b56d00a2d0a63e072a977f8eb81c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 3a3d5410cc83f7069c7cb1ab384905f382292d32
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Sep 7 14:02:09 2015 +0200

    Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
    
    * src/secmem.c (lock_pool, secmem_init): Do not call any cap_
    functions if NO_PRIV_DROP is set.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/secmem.c b/src/secmem.c
index 2109bc2..c4e8414 100644
--- a/src/secmem.c
+++ b/src/secmem.c
@@ -245,15 +245,21 @@ lock_pool (void *p, size_t n)
   {
     cap_t cap;
 
-    cap = cap_from_text ("cap_ipc_lock+ep");
-    cap_set_proc (cap);
-    cap_free (cap);
+    if (!no_priv_drop)
+      {
+        cap = cap_from_text ("cap_ipc_lock+ep");
+        cap_set_proc (cap);
+        cap_free (cap);
+      }
     err = no_mlock? 0 : mlock (p, n);
     if (err && errno)
       err = errno;
-    cap = cap_from_text ("cap_ipc_lock+p");
-    cap_set_proc (cap);
-    cap_free(cap);
+    if (!no_priv_drop)
+      {
+        cap = cap_from_text ("cap_ipc_lock+p");
+        cap_set_proc (cap);
+        cap_free(cap);
+      }
   }
 
   if (err)
@@ -485,13 +491,14 @@ secmem_init (size_t n)
     {
 #ifdef USE_CAPABILITIES
       /* drop all capabilities */
-      {
-        cap_t cap;
+      if (!no_priv_drop)
+        {
+          cap_t cap;
 
-        cap = cap_from_text ("all-eip");
-        cap_set_proc (cap);
-        cap_free (cap);
-      }
+          cap = cap_from_text ("all-eip");
+          cap_set_proc (cap);
+          cap_free (cap);
+        }
 
 #elif !defined(HAVE_DOSISH_SYSTEM)
       uid_t uid;
@@ -539,7 +546,7 @@ _gcry_secmem_init (size_t n)
 gcry_err_code_t
 _gcry_secmem_module_init ()
 {
-  /* No anymore needed.  */
+  /* Not anymore needed.  */
   return 0;
 }
 

-----------------------------------------------------------------------

Summary of changes:
 src/secmem.c | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org

More information about the Gnupg-commits mailing list