core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with tilde (#6724)

If a unit file contains multiple CapabilityBoundingSet= or AmbientCapabilities= lines, e.g., === CapabilityBoundingSet=CAP_A CAP_B CapabilityBoundingSet=~CAP_B CAP_C === before this commit, it results all capabilities except CAP_C are set to CapabilityBoundingSet=, as each lines are always merged by OR. This commit makes lines prefixed with ~ are merged by AND. So, for the above example only CAP_A is set. This makes easier to drop capabilities with drop-in config files.
2017-09-04 12:12:27 +09:00 · 2017-09-04 12:12:27 +09:00 · c792ec2e35
parent 6b3c9ead19
commit c792ec2e35
1 changed files with 8 additions and 6 deletions
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -1174,14 +1174,16 @@ int config_parse_capability_set(
                return 0;
        }

-        sum = invert ? ~sum : sum;
-
        if (sum == 0 || *capability_set == initial)
-                /* "" or uninitialized data -> replace */
-                *capability_set = sum;
-        else
+                /* "", "~" or uninitialized data -> replace */
+                *capability_set = invert ? ~sum : sum;
+        else {
                /* previous data -> merge */
-                *capability_set |= sum;
+                if (invert)
+                        *capability_set &= ~sum;
+                else
+                        *capability_set |= sum;
+        }

        return 0;
 }