From f9bf9ac5606961e5386a0eabe6b156a8a18d83ee Mon Sep 17 00:00:00 2001
From: Misaki Kasumi <misakikasumi@outlook.com>
Date: Fri, 20 Dec 2024 20:35:08 +0800
Subject: [PATCH] chore: Check CAP_SYS_ADMIN in ot_util_process_privileged

---
 src/libotutil/ot-unix-utils.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/libotutil/ot-unix-utils.c b/src/libotutil/ot-unix-utils.c
index 7a3192fe..bf2310de 100644
--- a/src/libotutil/ot-unix-utils.c
+++ b/src/libotutil/ot-unix-utils.c
@@ -32,6 +32,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
+#include <sys/prctl.h>
+#include <linux/prctl.h>
+#include <linux/capability.h>
 #include <unistd.h>
 
 /* Ensure that a pathname component @name does not contain the special Unix
@@ -107,5 +110,12 @@ ot_util_path_split_validate (const char *path, GPtrArray **out_components, GErro
 gboolean
 ot_util_process_privileged (void)
 {
-  return geteuid() == 0;
+  if (geteuid() != 0)
+    return FALSE;
+
+  // https://github.com/containers/bootc/blob/c88fcfd6e145863408bde7d4706937dd323f64e2/lib/src/cli.rs#L621
+  if (prctl (PR_CAPBSET_READ, CAP_SYS_ADMIN) != 1)
+    return FALSE;
+
+  return TRUE;
 }
-- 
2.30.2