From 17a8c294702acb30c397abc984d69c356cec2cd7 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Mon, 23 Dec 2019 00:47:49 -0500
Subject: [PATCH] fix capability removal error handling

https://forums.whonix.org/t/disable-suid-binaries/7706/45
---
 usr/lib/security-misc/permission-hardening | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening
index 0cd1cff..9dc381f 100755
--- a/usr/lib/security-misc/permission-hardening
+++ b/usr/lib/security-misc/permission-hardening
@@ -386,10 +386,17 @@ set_file_perms() {
       fi
 
       if [ "$capability_from_config" = "none" ]; then
-         # sudo setcap -r /usr/bin/ping
+         ## https://forums.whonix.org/t/disable-suid-binaries/7706/45
+         # sudo setcap -r /usr/bin/ping 2>/dev/null
          # Failed to set capabilities on file `/usr/bin/ping' (No data available)
          # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
-         echo_wrapper_audit setcap -r "$fso"
+         ## Therefore use echo_wrapper_ignore.
+         echo_wrapper_ignore setcap -r "$fso"
+         getcap_output="$(getcap "$fso")"
+         if [ ! "$getcap_output" = "" ]; then
+            echo "ERROR: removing capabilities for fso '$fso' failed!" >&2
+            continue
+         fi
       else
          if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
             echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2