Only drop the capabilities from the bounding set if we are running as PID1 (#6204)
The CapabilityBoundingSet option only makes sense if we are running as PID1. The system.conf.d(5) manpage, already states that the CapabilityBoundingSet option: Controls which capabilities to include in the capability bounding set for PID 1 and its children. https://github.com/systemd/systemd/issues/6080
This commit is contained in:
parent
1f47f5504c
commit
0d787d5ff8
|
@ -1780,7 +1780,7 @@ int main(int argc, char *argv[]) {
|
|||
if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)
|
||||
log_error_errno(errno, "Failed to adjust timer slack: %m");
|
||||
|
||||
if (!cap_test_all(arg_capability_bounding_set)) {
|
||||
if (arg_system && !cap_test_all(arg_capability_bounding_set)) {
|
||||
r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
|
||||
if (r < 0) {
|
||||
log_emergency_errno(r, "Failed to drop capability bounding set of usermode helpers: %m");
|
||||
|
|
Loading…
Reference in a new issue