Fix CAP representation for prctl

rusty-snake · rusty-snake · commit 10794615bd97 · 2025-05-02T10:58:34.000+02:00
diff --git a/src/thread/prctl.rs b/src/thread/prctl.rs
@@ -21,6 +21,7 @@ use crate::backend::prctl::syscalls;
 use crate::ffi::CString;
 use crate::ffi::{c_int, c_uint, c_void, CStr};
 use crate::io;
+use crate::io::Errno;
 use crate::pid::Pid;
 use crate::prctl::{
     prctl_1arg, prctl_2args, prctl_3args, prctl_get_at_arg2_optional, PointerAuthenticationKeys,
@@ -464,13 +465,14 @@ impl CompatCapability for CapabilitySet {
 /// [`prctl(PR_CAPBSET_READ,…)`]: https://man7.org/linux/man-pages/man2/prctl.2.html
 #[inline]
 pub fn capability_is_in_bounding_set(capability: impl CompatCapability) -> io::Result<bool> {
-    unsafe {
-        prctl_2args(
-            PR_CAPBSET_READ,
-            capability.as_capability_set(private::Token).bits() as usize as *mut _,
-        )
+    let capset = capability.as_capability_set(private::Token).bits();
+    let cap = capset.trailing_zeros();
+    if capset.leading_zeros() + cap + 1 != u64::BITS {
+        return Err(Errno::INVAL);
     }
-    .map(|r| r != 0)
+
+    unsafe { prctl_2args(PR_CAPBSET_READ, ptr::without_provenance_mut(cap as usize)) }
+        .map(|r| r != 0)
 }
 
 const PR_CAPBSET_DROP: c_int = 24;
@@ -485,13 +487,13 @@ const PR_CAPBSET_DROP: c_int = 24;
 /// [`prctl(PR_CAPBSET_DROP,…)`]: https://man7.org/linux/man-pages/man2/prctl.2.html
 #[inline]
 pub fn remove_capability_from_bounding_set(capability: impl CompatCapability) -> io::Result<()> {
-    unsafe {
-        prctl_2args(
-            PR_CAPBSET_DROP,
-            capability.as_capability_set(private::Token).bits() as usize as *mut _,
-        )
+    let capset = capability.as_capability_set(private::Token).bits();
+    let cap = capset.trailing_zeros();
+    if capset.leading_zeros() + cap + 1 != u64::BITS {
+        return Err(Errno::INVAL);
     }
-    .map(|_r| ())
+
+    unsafe { prctl_2args(PR_CAPBSET_DROP, ptr::without_provenance_mut(cap as usize)) }.map(|_r| ())
 }
 
 //
@@ -693,8 +695,20 @@ const PR_CAP_AMBIENT_IS_SET: usize = 1;
 /// [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_IS_SET,…)`]: https://man7.org/linux/man-pages/man2/prctl.2.html
 #[inline]
 pub fn capability_is_in_ambient_set(capability: impl CompatCapability) -> io::Result<bool> {
-    let cap = capability.as_capability_set(private::Token).bits() as usize as *mut _;
-    unsafe { prctl_3args(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET as *mut _, cap) }.map(|r| r != 0)
+    let capset = capability.as_capability_set(private::Token).bits();
+    let cap = capset.trailing_zeros();
+    if capset.leading_zeros() + cap + 1 != u64::BITS {
+        return Err(Errno::INVAL);
+    }
+
+    unsafe {
+        prctl_3args(
+            PR_CAP_AMBIENT,
+            PR_CAP_AMBIENT_IS_SET as *mut _,
+            ptr::without_provenance_mut(cap as usize),
+        )
+    }
+    .map(|r| r != 0)
 }
 
 const PR_CAP_AMBIENT_CLEAR_ALL: usize = 4;
@@ -729,9 +743,20 @@ pub fn configure_capability_in_ambient_set(
     } else {
         PR_CAP_AMBIENT_LOWER
     };
-    let cap = capability.as_capability_set(private::Token).bits() as usize as *mut _;
+    let capset = capability.as_capability_set(private::Token).bits();
+    let cap = capset.trailing_zeros();
+    if capset.leading_zeros() + cap + 1 != u64::BITS {
+        return Err(Errno::INVAL);
+    }
 
-    unsafe { prctl_3args(PR_CAP_AMBIENT, sub_operation as *mut _, cap) }.map(|_r| ())
+    unsafe {
+        prctl_3args(
+            PR_CAP_AMBIENT,
+            sub_operation as *mut _,
+            ptr::without_provenance_mut(cap as usize),
+        )
+    }
+    .map(|_r| ())
 }
 
 //
