fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'"

no longer user end-of-options marker (`--`) for `setcap` since setcap does not support it Fixes https://github.com/QubesOS/qubes-issues/issues/9569 https://forums.whonix.org/t/permission-hardener-error/20719
2024-12-22 20:33:35 +07:00 · 2024-11-10 06:29:17 -05:00 · 2024-11-10 06:29:17 -05:00 · 5bd0a277bf
commit 5bd0a277bf
parent 3af2684134
1 changed files with 6 additions and 1 deletions
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@ -539,7 +539,12 @@ set_file_perms() {
      ## The value of the capability argument is not permitted for a file. Or
      ## the file is not a regular (non-symlink) file
      ## Therefore use echo_wrapper_ignore.
-      echo_wrapper_ignore verbose setcap -r -- "${fso}"
+      ##
+      ## NOTE: setcap does not support End-of-Options Marker ('--') yet.
+      ## setcap bug report:
+      ## setcap Command Does Not Support End-of-Options Marker ('--')
+      ## https://bugzilla.kernel.org/show_bug.cgi?id=219487
+      echo_wrapper_ignore verbose setcap -r "${fso}"
      getcap_output="$(getcap -- "${fso}")"
      if test -n "${getcap_output}"; then
        exit_code=205