core: do not drop CAP_SETUID if it is in AmbientCapabilities=

Follow-up for 24832d10b604848cf46624bb439c7fac27f3ce3f
author: Luca Boccassi <bluca@debian.org> 2023-12-01 02:44:54 +0100
committer: Luca Boccassi <luca.boccassi@gmail.com> 2023-12-01 11:48:14 +0100
commit: f4a35f2ad961bae9edc59a28964d2917d5a37632 (patch)
tree: 5067743908a431a9a96c5f4f7d4c2b6126947f34 /src
parent: Merge pull request #30211 from yuwata/sd-journal-generic-array-bisect-fix (diff)
download: systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.tar.xz
systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.zip
2 files changed, 9 insertions, 4 deletions
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 1e08296b46..0741ce3c3b 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4918,10 +4918,12 @@ int exec_invoke(
                         }
 
                         if (keep_seccomp_privileges) {
-                                r = drop_capability(CAP_SETUID);
-                                if (r < 0) {
-                                        *exit_status = EXIT_USER;
-                                        return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                if (!FLAGS_SET(capability_ambient_set, (UINT64_C(1) << CAP_SETUID))) {
+                                        r = drop_capability(CAP_SETUID);
+                                        if (r < 0) {
+                                                *exit_status = EXIT_USER;
+                                                return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                        }
                                 }
 
                                 r = keep_capability(CAP_SYS_ADMIN);
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 64779d0cf2..9a03e291a0 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -1070,6 +1070,9 @@ static void test_exec_ambientcapabilities(Manager *m) {
         test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
         test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);
 
+        if (have_effective_cap(CAP_SETUID) > 0)
+                test(m, "exec-ambientcapabilities-dynuser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
+
         if (!check_nobody_user_and_group()) {
                 log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                 return;
author	Luca Boccassi <bluca@debian.org>	2023-12-01 02:44:54 +0100
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-12-01 11:48:14 +0100
commit	f4a35f2ad961bae9edc59a28964d2917d5a37632 (patch)
tree	5067743908a431a9a96c5f4f7d4c2b6126947f34 /src
parent	Merge pull request #30211 from yuwata/sd-journal-generic-array-bisect-fix (diff)
download	systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.tar.xz systemd-f4a35f2ad961bae9edc59a28964d2917d5a37632.zip