1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

core: drop ambient capabilities in user manager

Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.

(cherry picked from commit 963b6b906e)
This commit is contained in:
Łukasz Stelmach 2022-07-12 13:57:32 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent 689487785f
commit c88309d5cd

View File

@ -2806,6 +2806,11 @@ int main(int argc, char *argv[]) {
/* clear the kernel timestamp, because we are not PID 1 */ /* clear the kernel timestamp, because we are not PID 1 */
kernel_timestamp = DUAL_TIMESTAMP_NULL; kernel_timestamp = DUAL_TIMESTAMP_NULL;
/* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
* not affect the permitted and effective sets which are important for the manager itself to
* operate. */
capability_ambient_set_apply(0, /* also_inherit= */ false);
if (mac_selinux_init() < 0) { if (mac_selinux_init() < 0) {
error_message = "Failed to initialize SELinux support"; error_message = "Failed to initialize SELinux support";
goto finish; goto finish;