1 files changed, 33 insertions, 25 deletions

diff --git a/src/daemon/caps.c b/src/daemon/caps.c
index af593388..ae07119c 100644
--- a/src/daemon/caps.c
+++ b/src/daemon/caps.c
@@ -1,5 +1,3 @@
-/* $Id$ */
-
 /***
   This file is part of PulseAudio.
 
@@ -85,31 +83,26 @@ void pa_drop_root(void) {
 #if defined(HAVE_SYS_CAPABILITY_H) && defined(HAVE_SYS_PRCTL_H)
 
 /* Limit permitted capabilities set to CAPSYS_NICE */
-int pa_limit_caps(void) {
-    int r = -1;
+void pa_limit_caps(void) {
     cap_t caps;
     cap_value_t nice_cap = CAP_SYS_NICE;
 
     pa_assert_se(caps = cap_init());
-
-    cap_clear(caps);
-    cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET);
-    cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET);
+    pa_assert_se(cap_clear(caps) == 0);
+    pa_assert_se(cap_set_flag(caps, CAP_EFFECTIVE, 1, &nice_cap, CAP_SET) == 0);
+    pa_assert_se(cap_set_flag(caps, CAP_PERMITTED, 1, &nice_cap, CAP_SET) == 0);
 
     if (cap_set_proc(caps) < 0)
-        goto fail;
-
-    if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
-        goto fail;
-
-    pa_log_info("Dropped capabilities successfully.");
+        /* Hmm, so we couldn't limit our caps, which probably means we
+         * hadn't any in the first place, so let's just make sure of
+         * that */
+        pa_drop_caps();
+    else
+        pa_log_info("Limited capabilities successfully to CAP_SYS_NICE.");
 
-    r = 1;
+    pa_assert_se(cap_free(caps) == 0);
 
-fail:
-    cap_free(caps);
-
-    return r;
+    pa_assert_se(prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == 0);
 }
 
 /* Drop all capabilities, effectively becoming a normal user */
@@ -119,21 +112,36 @@ void pa_drop_caps(void) {
     pa_assert_se(prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) == 0);
 
     pa_assert_se(caps = cap_init());
-    cap_clear(caps);
+    pa_assert_se(cap_clear(caps) == 0);
     pa_assert_se(cap_set_proc(caps) == 0);
-    cap_free(caps);
+    pa_assert_se(cap_free(caps) == 0);
+
+    pa_assert_se(!pa_have_caps());
+}
+
+pa_bool_t pa_have_caps(void) {
+    cap_t caps;
+    cap_flag_value_t flag = CAP_CLEAR;
+
+    pa_assert_se(caps = cap_get_proc());
+    pa_assert_se(cap_get_flag(caps, CAP_SYS_NICE, CAP_EFFECTIVE, &flag) >= 0);
+    pa_assert_se(cap_free(caps) == 0);
+
+    return flag == CAP_SET;
 }
 
 #else
 
 /* NOOPs in case capabilities are not available. */
-int pa_limit_caps(void) {
-    return 0;
+void pa_limit_caps(void) {
 }
 
-int pa_drop_caps(void) {
+void pa_drop_caps(void) {
     pa_drop_root();
-    return 0;
+}
+
+pa_bool_t pa_have_caps(void) {
+    return FALSE;
 }
 
 #endif