nspawn: don't hard fail when setting capabilities

[thirdparty/systemd.git] / src / basic / capability-util.h

diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h
index e69b2fbb957854da3ec0eb52ca977729155e4e3d..b5bce29ab53841d672a7d0871ff95fd917c5df4f 100644 (file)
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@@ -69,4 +69,9 @@ static inline bool capability_quintet_is_set(const CapabilityQuintet *q) {
                 q->ambient != (uint64_t) -1;
 }
 
+/* Mangles the specified caps quintet taking the current bounding set into account:
+ * drops all caps from all five sets if our bounding set doesn't allow them.
+ * Returns true if the quintet was modified. */
+bool capability_quintet_mangle(CapabilityQuintet *q);
+
 int capability_quintet_enforce(const CapabilityQuintet *q);