diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-12-01 02:44:54 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-12-01 11:48:14 +0100 |
| commit | f4a35f2ad961bae9edc59a28964d2917d5a37632 (patch) | |
| tree | 5067743908a431a9a96c5f4f7d4c2b6126947f34 /src/core/exec-invoke.c | |
| parent | Merge pull request #30211 from yuwata/sd-journal-generic-array-bisect-fix (diff) | |
| download | systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.tar.xz systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.zip | |
core: do not drop CAP_SETUID if it is in AmbientCapabilities=
Follow-up for 24832d10b604848cf46624bb439c7fac27f3ce3f
Diffstat (limited to 'src/core/exec-invoke.c')
| -rw-r--r-- | src/core/exec-invoke.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 1e08296b46..0741ce3c3b 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -4918,10 +4918,12 @@ int exec_invoke( } if (keep_seccomp_privileges) { - r = drop_capability(CAP_SETUID); - if (r < 0) { - *exit_status = EXIT_USER; - return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m"); + if (!FLAGS_SET(capability_ambient_set, (UINT64_C(1) << CAP_SETUID))) { + r = drop_capability(CAP_SETUID); + if (r < 0) { + *exit_status = EXIT_USER; + return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m"); + } } r = keep_capability(CAP_SYS_ADMIN); |