picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Only drop the capabilities from the bounding set if we are running as PID1 (#6204)

Browse source 
The CapabilityBoundingSet option only makes sense if we are running as
PID1.

The system.conf.d(5) manpage, already states that the CapabilityBoundingSet
option:
  Controls which capabilities to include in the capability bounding set
  for PID 1 and its children.

https://github.com/systemd/systemd/issues/6080
This commit is contained in:
Lennart Poettering 2017-06-28 19:29:45 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent 1f47f5504c
commit 0d787d5ff8
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/core/main.c
View file

@ -1780,7 +1780,7 @@ int main(int argc, char *argv[]) {
if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)
log_error_errno(errno, "Failed to adjust timer slack: %m");
if (!cap_test_all(arg_capability_bounding_set)) {
if (arg_system && !cap_test_all(arg_capability_bounding_set)) {
r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);
if (r < 0) {
log_emergency_errno(r, "Failed to drop capability bounding set of usermode helpers: %m");