From: iplayinsun <iplayinsun@gmail.com>
Date: Mon, 4 Sep 2017 03:12:27 +0000 (+0900)
Subject: core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with... 
X-Git-Tag: v235~175
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c792ec2e3512a672881fc847ff432e26b641c9c9;p=platform%2Fupstream%2Fsystemd.git

core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with tilde (#6724)

If a unit file contains multiple CapabilityBoundingSet= or
AmbientCapabilities= lines, e.g.,
===
CapabilityBoundingSet=CAP_A CAP_B
CapabilityBoundingSet=~CAP_B CAP_C
===
before this commit, it results all capabilities except CAP_C are set to
CapabilityBoundingSet=, as each lines are always merged by OR.
This commit makes lines prefixed with ~ are merged by AND. So, for the
above example only CAP_A is set.
This makes easier to drop capabilities with drop-in config files.
---

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 7bcce9b..7fa1baf 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -1174,14 +1174,16 @@ int config_parse_capability_set(
                 return 0;
         }
 
-        sum = invert ? ~sum : sum;
-
         if (sum == 0 || *capability_set == initial)
-                /* "" or uninitialized data -> replace */
-                *capability_set = sum;
-        else
+                /* "", "~" or uninitialized data -> replace */
+                *capability_set = invert ? ~sum : sum;
+        else {
                 /* previous data -> merge */
-                *capability_set |= sum;
+                if (invert)
+                        *capability_set &= ~sum;
+                else
+                        *capability_set |= sum;
+        }
 
         return 0;
 }