mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 01:55:32 +03:00
core: merge the second CapabilityBoundingSet= lines by AND when it is prefixed with tilde (#6724)
If a unit file contains multiple CapabilityBoundingSet= or AmbientCapabilities= lines, e.g., === CapabilityBoundingSet=CAP_A CAP_B CapabilityBoundingSet=~CAP_B CAP_C === before this commit, it results all capabilities except CAP_C are set to CapabilityBoundingSet=, as each lines are always merged by OR. This commit makes lines prefixed with ~ are merged by AND. So, for the above example only CAP_A is set. This makes easier to drop capabilities with drop-in config files.
This commit is contained in:
parent
6b3c9ead19
commit
c792ec2e35
@ -1174,14 +1174,16 @@ int config_parse_capability_set(
|
||||
return 0;
|
||||
}
|
||||
|
||||
sum = invert ? ~sum : sum;
|
||||
|
||||
if (sum == 0 || *capability_set == initial)
|
||||
/* "" or uninitialized data -> replace */
|
||||
*capability_set = sum;
|
||||
else
|
||||
/* "", "~" or uninitialized data -> replace */
|
||||
*capability_set = invert ? ~sum : sum;
|
||||
else {
|
||||
/* previous data -> merge */
|
||||
*capability_set |= sum;
|
||||
if (invert)
|
||||
*capability_set &= ~sum;
|
||||
else
|
||||
*capability_set |= sum;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user