From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 28 Jun 2017 17:29:45 +0000 (+0200)
Subject: Only drop the capabilities from the bounding set if we are running as PID1 (#6204)
X-Git-Tag: v234~66
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0d787d5ff812bc038384ff39f8b1d64f6c2ed13f;p=platform%2Fupstream%2Fsystemd.git

Only drop the capabilities from the bounding set if we are running as PID1 (#6204)

The CapabilityBoundingSet option only makes sense if we are running as
PID1.

The system.conf.d(5) manpage, already states that the CapabilityBoundingSet
option:
  Controls which capabilities to include in the capability bounding set
  for PID 1 and its children.

https://github.com/systemd/systemd/issues/6080
---

diff --git a/src/core/main.c b/src/core/main.c
index c2439ed..88e2c92 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1780,7 +1780,7 @@ int main(int argc, char *argv[]) {
                 if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)
                         log_error_errno(errno, "Failed to adjust timer slack: %m");
 
-        if (!cap_test_all(arg_capability_bounding_set)) {
+        if (arg_system && !cap_test_all(arg_capability_bounding_set)) {
                 r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
                 if (r < 0) {
                         log_emergency_errno(r, "Failed to drop capability bounding set of usermode helpers: %m");