core: do not drop CAP_SETUID if it is in AmbientCapabilities=

Follow-up for 24832d10b604848cf46624bb439c7fac27f3ce3f
2025-02-27 01:57:35 +03:00 · 2023-12-01 01:44:54 +00:00 · 2023-12-01 01:44:54 +00:00 · f4a35f2ad9
commit f4a35f2ad9
parent 3f3ec0b8e8
3 changed files with 19 additions and 4 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -4918,10 +4918,12 @@ int exec_invoke(
                        }

                        if (keep_seccomp_privileges) {
-                                r = drop_capability(CAP_SETUID);
-                                if (r < 0) {
-                                        *exit_status = EXIT_USER;
-                                        return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                if (!FLAGS_SET(capability_ambient_set, (UINT64_C(1) << CAP_SETUID))) {
+                                        r = drop_capability(CAP_SETUID);
+                                        if (r < 0) {
+                                                *exit_status = EXIT_USER;
+                                                return log_exec_error_errno(context, params, r, "Failed to drop CAP_SETUID: %m");
+                                        }
                                }

                                r = keep_capability(CAP_SYS_ADMIN);
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@ -1070,6 +1070,9 @@ static void test_exec_ambientcapabilities(Manager *m) {
        test(m, "exec-ambientcapabilities.service", 0, CLD_EXITED);
        test(m, "exec-ambientcapabilities-merge.service", 0, CLD_EXITED);

+        if (have_effective_cap(CAP_SETUID) > 0)
+                test(m, "exec-ambientcapabilities-dynuser.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
+
        if (!check_nobody_user_and_group()) {
                log_notice("nobody user/group is not synthesized or may conflict to other entries, skipping remaining tests in %s", __func__);
                return;
--- a/test/test-execute/exec-ambientcapabilities-dynuser.service
+++ b/test/test-execute/exec-ambientcapabilities-dynuser.service
@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Test for AmbientCapabilities (dynamic user)
+
+[Service]
+ExecStart=/bin/sh -x -c 'c=$$(grep "CapAmb:" /proc/self/status); test "$$c" = "CapAmb:	0000000000002081"'
+Type=oneshot
+AmbientCapabilities=CAP_CHOWN CAP_SETUID CAP_NET_RAW
+DynamicUser=yes
+PrivateUsers=yes