system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-07 08:40:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

core: drop ambient capabilities in user manager

Browse source 
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.
This commit is contained in:
Łukasz Stelmach 2022-07-12 13:57:32 +02:00 committed by Lennart Poettering
parent d8e4960bf1
commit 963b6b906e
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/core/main.c
View file

@ -2825,6 +2825,11 @@ int main(int argc, char *argv[]) {
/* clear the kernel timestamp, because we are not PID 1 */
kernel_timestamp = DUAL_TIMESTAMP_NULL;
/* Clear ambient capabilities, so services do not inherit them implicitly. Dropping them does
* not affect the permitted and effective sets which are important for the manager itself to
* operate. */
capability_ambient_set_apply(0, /* also_inherit= */ false);
if (mac_selinux_init() < 0) {
error_message = "Failed to initialize SELinux support";
goto finish;