From cd2bd2abe7ca9f127bd2163fb71510d987a957da Mon Sep 17 00:00:00 2001 From: =?utf8?q?=C5=81ukasz=20Stelmach?= Date: Tue, 28 May 2024 16:56:03 +0200 Subject: [PATCH] Revert "execute: Call capability_ambient_set_apply even if ambient set is 0" MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit With ambient capabilities being dropped at the start of process managers (both system and user) as well as systemd-executor it isn't necessary to drop them here. Moreover, at this point also the inheritable set can be preserved. This makes it possible to assign a user session manager inheritable capabilities which combined with file capabilites (ei sets) of service executables enable running user services with capabilities but only when started by the manager. This reverts commit 943800f4e7728feb2416dd57b8c296614497b94f. Change-Id: I479f6268373ac8b0772f9ac56dd52f45e6003705 Signed-off-by: Łukasz Stelmach Forwarded: https://github.com/systemd/systemd/pull/32937 --- src/core/exec-invoke.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 6cddf67..36a7303 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -4979,7 +4979,7 @@ int exec_invoke( * * The requested ambient capabilities are raised in the inheritable set if the second * argument is true. */ - if (!needs_ambient_hack) { + if (!needs_ambient_hack && capability_ambient_set != 0) { r = capability_ambient_set_apply(capability_ambient_set, /* also_inherit= */ true); if (r < 0) { *exit_status = EXIT_CAPABILITIES; -- 2.7.4